Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	March 21, 2021, 10:50 a.m.	March 21, 2021, 10:53 a.m.

Size	705.5KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`8446eb1134ac6b049b65eead1d545b59`
SHA256	`2879f1773178be4e0cfea138616e306939389d4d5d55ef94269cda0998cd3244`
CRC32	`D8D1D6A3`
ssdeep	`12288:f6d1H5ZszONc0D5XiUsDefzLYHEkrfcJwBg5En7Blmg7OTpVx0NTHqg5nTXt/uxO:Cd1ZZ0SXiUDfnghJumNlmgyTlWKg5nTd`
Yara	PE_Header_Zero - PE File Signature Zero IsPE32 - (no description) IsNET_EXE - (no description) IsWindowsGUI - (no description) IsPacked - Entropy Check

xckex.exe "C:\Users\test22\AppData\Local\Temp\xckex.exe"
1116
- xckex.exe "C:\Users\test22\AppData\Local\Temp\xckex.exe"
  1940

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (4 events)

Time & API	Arguments	Status	Return
GetComputerNameW March 21, 2021, 10:52 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 21, 2021, 10:52 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 21, 2021, 10:52 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 21, 2021, 10:52 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (4 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent March 21, 2021, 10:50 a.m.			0	0
IsDebuggerPresent March 21, 2021, 10:50 a.m.			0	0
IsDebuggerPresent March 21, 2021, 10:51 a.m.			0	0
IsDebuggerPresent March 21, 2021, 10:51 a.m.			0	0

Uses Windows APIs to generate a cryptographic key (3 events)

Time & API	Arguments	Status	Return
CryptExportKey March 21, 2021, 10:50 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00784e58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 21, 2021, 10:50 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00784dd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 21, 2021, 10:50 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00784dd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx March 21, 2021, 10:50 a.m.		1	1	0

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ March 21, 2021, 10:52 a.m.	stacktrace: 0x7b1790 0x7b0fb3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72742652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72752e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72807610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72891dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72891e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72891f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7289416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7376f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743c7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743c4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 e0 8b 4d dc e8 93 d7 exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x7b1c03 registers.esp: 4059312 registers.edi: 4059336 registers.eax: 0 registers.ebp: 4059348 registers.edx: 195 registers.ebx: 4059604 registers.esi: 40147840 registers.ecx: 0	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

March 21, 2021, 10:52 a.m.

stacktrace:

0x7b1790
0x7b0fb3
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72742652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72752e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728074ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72807610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72891dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72891e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72891f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7289416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7376f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743c7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743c4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5

exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 e0 8b 4d dc e8 93 d7
exception.instruction: mov eax, dword ptr [ecx]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x7b1c03
registers.esp: 4059312
registers.edi: 4059336
registers.eax: 0
registers.ebp: 4059348
registers.edx: 195
registers.ebx: 4059604
registers.esi: 40147840
registers.ecx: 0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (50 out of 78 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory March 21, 2021, 10:50 a.m.	process_identifier: 1116 region_size: 1376256 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009a0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 21, 2021, 10:50 a.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ab0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 21, 2021, 10:50 a.m.	process_identifier: 1116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72741000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 21, 2021, 10:50 a.m.	process_identifier: 1116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72742000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 21, 2021, 10:50 a.m.	process_identifier: 1116 region_size: 393216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00440000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 21, 2021, 10:50 a.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00460000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 21, 2021, 10:50 a.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002a2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 21, 2021, 10:50 a.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002bc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 21, 2021, 10:50 a.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 21, 2021, 10:50 a.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006d1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 21, 2021, 10:50 a.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006d2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 21, 2021, 10:50 a.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006d3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 21, 2021, 10:50 a.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006d4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 21, 2021, 10:50 a.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006d5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 21, 2021, 10:50 a.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002d5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 21, 2021, 10:50 a.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002db000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 21, 2021, 10:50 a.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002d7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 21, 2021, 10:50 a.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002aa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 21, 2021, 10:50 a.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002ca000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 21, 2021, 10:50 a.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002c7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 21, 2021, 10:50 a.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002ba000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 21, 2021, 10:50 a.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006d6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 21, 2021, 10:50 a.m.	process_identifier: 1116 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 21, 2021, 10:50 a.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 21, 2021, 10:50 a.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 21, 2021, 10:50 a.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef58000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 21, 2021, 10:50 a.m.	process_identifier: 1116 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 21, 2021, 10:50 a.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 21, 2021, 10:50 a.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006d7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 21, 2021, 10:50 a.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006d8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 21, 2021, 10:50 a.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006d9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 21, 2021, 10:50 a.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002ac000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 21, 2021, 10:50 a.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002c6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 21, 2021, 10:51 a.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006da000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 21, 2021, 10:51 a.m.	process_identifier: 1116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6ddf2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 21, 2021, 10:51 a.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002bd000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 21, 2021, 10:51 a.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006db000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 21, 2021, 10:51 a.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04d20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 21, 2021, 10:51 a.m.	process_identifier: 1116 region_size: 24576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04d21000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 21, 2021, 10:51 a.m.	process_identifier: 1116 region_size: 20480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04d27000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 21, 2021, 10:51 a.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04d2c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 21, 2021, 10:51 a.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04d2d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 21, 2021, 10:51 a.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04d2e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 21, 2021, 10:51 a.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04d2f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 21, 2021, 10:51 a.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00f10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 21, 2021, 10:51 a.m.	process_identifier: 1940 region_size: 1703936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008c0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 21, 2021, 10:51 a.m.	process_identifier: 1940 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 21, 2021, 10:51 a.m.	process_identifier: 1940 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72741000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 21, 2021, 10:51 a.m.	process_identifier: 1940 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72742000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 21, 2021, 10:51 a.m.	process_identifier: 1940 region_size: 1900544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02400000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x000afc00', u'virtual_address': u'0x00002000', u'entropy': 7.790362585097889, u'name': u'.text', u'virtual_size': u'0x000afab4'}

entropy

7.7903625851

description

A section with a high entropy has been found

entropy

0.997163120567

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW March 21, 2021, 10:51 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Potentially malicious URLs were found in the process memory dump (20 events)

url	http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt0
url	http://www.microsoft.com/pki/certs/MicRooCerAut2011_2011_03_22.crt0
url	http://microsoft.com0
url	https://ezgif.com/resize
url	http://www.microsoft.com/pkiops/certs/MicCodSigPCA2011_2011-07-08.crt0
url	http://www.microsoft.com/pkiops/docs/primarycps.htm0
url	http://www.microsoft.com/pki/certs/MicCodSigPCA_08-31-2010.crt0
url	http://beta.visualstudio.net/net/sdk/feedback.asp
url	http://www.microsoft.com/pki/certs/MicrosoftTimeStampPCA.crt0
url	http://www.microsoft.com/pki/certs/MicTimStaPCA_2010-07-01.crt0
url	http://www.microsoft.com/PKI/docs/CPS/default.htm0
url	http://www.microsoft.com/pki/certs/MicrosoftRootCert.crt0
url	http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl0a
url	http://go2.microsoft.com/fwlink/?LinkId=131738
url	https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%hash%%torpass%https://www.theonionrouter.com/dist.torproject.org/torbrowser/
url	http://127.0.0.1
url	http://gyMWnS.com
url	https://api.telegram.org/bot%telegramapi%/sendDocumentdocument---------------------------x
url	http://DynDns.comDynDNS
url	https://api.ipify.orgGETMozilla/5.0

Yara rule detected in process memory (50 out of 110 events)

description	Code injection with CreateRemoteThread in a remote process	rule	inject_thread
description	Listen for incoming communication	rule	network_tcp_listen
description	Communications smtp	rule	network_smtp_dotNet
description	Take screenshot	rule	screenshot
description	Run a keylogger	rule	keylogger
description	Create or check mutex	rule	win_mutex
description	Affect system registries	rule	win_registry
description	Affect system token	rule	win_token
description	Affect private profile	rule	win_files_operation
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	Check_Qemu_Description
description	(no description)	rule	Check_Qemu_DeviceMap
description	(no description)	rule	Check_VBox_Description
description	(no description)	rule	Check_VBox_DeviceMap
description	(no description)	rule	Check_VBox_Guest_Additions
description	(no description)	rule	Check_VBox_VideoDrivers
description	(no description)	rule	Check_VMWare_DeviceMap
description	(no description)	rule	Check_VmTools
description	Detection of Virtual Appliances through the use of WMI for use of evasion.	rule	WMI_VM_Detect
description	Checks if being debugged	rule	anti_dbg
description	Affect hook table	rule	win_hook
description	Following Rule is referenced from AlienVault's Yara rule repository.This rule contains additional processes and driver names.	rule	vmdetect_misc
description	Code injection with CreateRemoteThread in a remote process	rule	inject_thread
description	Listen for incoming communication	rule	network_tcp_listen
description	Communications smtp	rule	network_smtp_dotNet
description	Take screenshot	rule	screenshot
description	Run a keylogger	rule	keylogger
description	Create or check mutex	rule	win_mutex
description	Affect system registries	rule	win_registry
description	Affect system token	rule	win_token
description	Affect private profile	rule	win_files_operation
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	Check_Qemu_Description
description	(no description)	rule	Check_Qemu_DeviceMap
description	(no description)	rule	Check_VBox_Description
description	(no description)	rule	Check_VBox_DeviceMap
description	(no description)	rule	Check_VBox_Guest_Additions
description	(no description)	rule	Check_VBox_VideoDrivers
description	(no description)	rule	Check_VMWare_DeviceMap
description	(no description)	rule	Check_VmTools
description	Detection of Virtual Appliances through the use of WMI for use of evasion.	rule	WMI_VM_Detect
description	Checks if being debugged	rule	anti_dbg
description	Affect hook table	rule	win_hook
description	Following Rule is referenced from AlienVault's Yara rule repository.This rule contains additional processes and driver names.	rule	vmdetect_misc
description	Listen for incoming communication	rule	network_tcp_listen
description	Communications smtp	rule	network_smtp_dotNet
description	Run a keylogger	rule	keylogger
description	(no description)	rule	DebuggerCheck__GlobalFlags

Terminates another process (2 events)

Time & API	Arguments	Status	Return	Repeated
NtTerminateProcess March 21, 2021, 10:51 a.m.	status_code: 0xffffffff process_identifier: 1116 process_handle: 0x00000230		0	0
NtTerminateProcess March 21, 2021, 10:51 a.m.	status_code: 0xffffffff process_identifier: 1116 process_handle: 0x00000230		3221225738	0

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory March 21, 2021, 10:51 a.m.	process_identifier: 1940 region_size: 245760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000250	1	0	0

Looks for the Windows Idle Time to determine the uptime (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation March 21, 2021, 10:52 a.m.	information_class: 8 (SystemProcessorPerformanceInformation)	1	0	0

A process attempted to delay the analysis task. (1 event)

description

xckex.exe tried to sleep 8184633 seconds, actually delayed analysis time by 8184633 seconds

Potential code injection by writing to the memory of another process (4 events)

Time & API	Arguments	Status	Return
WriteProcessMemory March 21, 2021, 10:51 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELZ©z_àX^v @ À@vS0 H.textdV X `.rsrc0Z@@.reloc `@B base_address: 0x00400000 process_identifier: 1940 process_handle: 0x00000250	1	1
WriteProcessMemory March 21, 2021, 10:51 a.m.	buffer: 8Ph @ê4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°üStringFileInfoØ000004b0,FileDescription 0FileVersion0.0.0.0d"InternalNamehFWIUxSmUEzaAvGBlxHBZxuuBkuvx.exe(LegalCopyright l"OriginalFilenamehFWIUxSmUEzaAvGBlxHBZxuuBkuvx.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0ï»¿<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x00438000 process_identifier: 1940 process_handle: 0x00000250	1	1
WriteProcessMemory March 21, 2021, 10:51 a.m.	buffer: p`6 base_address: 0x0043a000 process_identifier: 1940 process_handle: 0x00000250	1	1
WriteProcessMemory March 21, 2021, 10:51 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 1940 process_handle: 0x00000250	1	1

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory March 21, 2021, 10:51 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELZ©z_àX^v @ À@vS0 H.textdV X `.rsrc0Z@@.reloc `@B base_address: 0x00400000 process_identifier: 1940 process_handle: 0x00000250	1	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1116 called NtSetContextThread to modify thread in remote process 1940
NtSetContextThread March 21, 2021, 10:51 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4421214 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000248 process_identifier: 1940	1	0	0

Found URLs in memory pointing to an IP address rather than a domain (potentially indicative of Command & Control traffic) (1 event)

url	http://127.0.0.1

url	https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%hash%%torpass%https://www.theonionrouter.com/dist.torproject.org/torbrowser/

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1116 resumed a thread in remote process 1940
NtResumeThread March 21, 2021, 10:51 a.m.	thread_handle: 0x00000248 suspend_count: 1 process_identifier: 1940	1	0	0

Executed a process and injected code into it, probably while unpacking (29 events)

Time & API	Arguments	Status	Return
NtResumeThread March 21, 2021, 10:50 a.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 1116	1	0
NtResumeThread March 21, 2021, 10:50 a.m.	thread_handle: 0x00000150 suspend_count: 1 process_identifier: 1116	1	0
NtResumeThread March 21, 2021, 10:50 a.m.	thread_handle: 0x00000190 suspend_count: 1 process_identifier: 1116	1	0
NtResumeThread March 21, 2021, 10:50 a.m.	thread_handle: 0x000001fc suspend_count: 1 process_identifier: 1116	1	0
NtGetContextThread March 21, 2021, 10:50 a.m.	thread_handle: 0x000000e4	1	0
NtGetContextThread March 21, 2021, 10:50 a.m.	thread_handle: 0x000000e4	1	0
NtResumeThread March 21, 2021, 10:50 a.m.	thread_handle: 0x000000e4 suspend_count: 1 process_identifier: 1116	1	0
NtGetContextThread March 21, 2021, 10:50 a.m.	thread_handle: 0x000000e4	1	0
NtGetContextThread March 21, 2021, 10:50 a.m.	thread_handle: 0x000000e4	1	0
NtResumeThread March 21, 2021, 10:50 a.m.	thread_handle: 0x000000e4 suspend_count: 1 process_identifier: 1116	1	0
CreateProcessInternalW March 21, 2021, 10:51 a.m.	thread_identifier: 888 thread_handle: 0x00000248 process_identifier: 1940 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\xckex.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\xckex.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000250	1	1
NtGetContextThread March 21, 2021, 10:51 a.m.	thread_handle: 0x00000248	1	0
NtAllocateVirtualMemory March 21, 2021, 10:51 a.m.	process_identifier: 1940 region_size: 245760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000250	1	0
WriteProcessMemory March 21, 2021, 10:51 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELZ©z_àX^v @ À@vS0 H.textdV X `.rsrc0Z@@.reloc `@B base_address: 0x00400000 process_identifier: 1940 process_handle: 0x00000250	1	1
WriteProcessMemory March 21, 2021, 10:51 a.m.	buffer: base_address: 0x00402000 process_identifier: 1940 process_handle: 0x00000250	1	1
WriteProcessMemory March 21, 2021, 10:51 a.m.	buffer: 8Ph @ê4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°üStringFileInfoØ000004b0,FileDescription 0FileVersion0.0.0.0d"InternalNamehFWIUxSmUEzaAvGBlxHBZxuuBkuvx.exe(LegalCopyright l"OriginalFilenamehFWIUxSmUEzaAvGBlxHBZxuuBkuvx.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0ï»¿<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x00438000 process_identifier: 1940 process_handle: 0x00000250	1	1
WriteProcessMemory March 21, 2021, 10:51 a.m.	buffer: p`6 base_address: 0x0043a000 process_identifier: 1940 process_handle: 0x00000250	1	1
WriteProcessMemory March 21, 2021, 10:51 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 1940 process_handle: 0x00000250	1	1
NtSetContextThread March 21, 2021, 10:51 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4421214 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000248 process_identifier: 1940	1	0
NtResumeThread March 21, 2021, 10:51 a.m.	thread_handle: 0x00000248 suspend_count: 1 process_identifier: 1940	1	0
NtResumeThread March 21, 2021, 10:51 a.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 1940	1	0
NtResumeThread March 21, 2021, 10:51 a.m.	thread_handle: 0x0000014c suspend_count: 1 process_identifier: 1940	1	0
NtResumeThread March 21, 2021, 10:51 a.m.	thread_handle: 0x0000017c suspend_count: 1 process_identifier: 1940	1	0
NtResumeThread March 21, 2021, 10:52 a.m.	thread_handle: 0x0000031c suspend_count: 1 process_identifier: 1940	1	0
NtResumeThread March 21, 2021, 10:52 a.m.	thread_handle: 0x0000033c suspend_count: 1 process_identifier: 1940	1	0
NtResumeThread March 21, 2021, 10:52 a.m.	thread_handle: 0x000003a0 suspend_count: 1 process_identifier: 1940	1	0
NtResumeThread March 21, 2021, 10:52 a.m.	thread_handle: 0x00000418 suspend_count: 1 process_identifier: 1940	1	0
NtResumeThread March 21, 2021, 10:52 a.m.	thread_handle: 0x00000354 suspend_count: 1 process_identifier: 1940	1	0
NtResumeThread March 21, 2021, 10:52 a.m.	thread_handle: 0x0000040c suspend_count: 1 process_identifier: 1940	1	0

File has been identified by 52 AntiVirus engines on VirusTotal as malicious (50 out of 52 events)

Elastic	malicious (high confidence)
MicroWorld-eScan	Gen:Variant.MSILPerseus.236843
FireEye	Generic.mg.8446eb1134ac6b04
CAT-QuickHeal	Trojan.YakbeexMSIL.ZZ4
ALYac	Gen:Variant.MSILPerseus.236843
Cylance	Unsafe
Zillya	Trojan.Agensla.Win32.6790
Sangfor	Trojan.Win32.Save.a
K7AntiVirus	Trojan ( 00570aa51 )
Alibaba	Trojan:Win32/Kryptik.ali2000016
K7GW	Trojan ( 00570aa51 )
CrowdStrike	win/malicious_confidence_100% (W)
Arcabit	Trojan.MSILPerseus.D39D2B
Cyren	W32/MSIL_Kryptik.BVM.gen!Eldorado
Symantec	Ransom.Wannacry
APEX	Malicious
Avast	Win32:TrojanX-gen [Trj]
Kaspersky	HEUR:Trojan-PSW.MSIL.Agensla.gen
BitDefender	Gen:Variant.MSILPerseus.236843
NANO-Antivirus	Trojan.Win32.Agensla.hzdpgv
AegisLab	Trojan.MSIL.Agensla.i!c
Tencent	Win32.Trojan.Inject.Auto
Ad-Aware	Gen:Variant.MSILPerseus.236843
Sophos	Mal/Generic-S
DrWeb	Trojan.PackedNET.443
VIPRE	Trojan.Win32.Generic!BT
McAfee-GW-Edition	BehavesLike.Win32.Fareit.bc
MaxSecure	Trojan.Malware.300983.susgen
Emsisoft	Trojan.Agent (A)
SentinelOne	Static AI - Malicious PE
Jiangmin	Trojan.PSW.MSIL.asse
Avira	TR/AD.AgentTesla.wxqoj
Gridinsoft	Trojan.Win32.Packed.oa
Microsoft	Trojan:MSIL/AgentTesla.RSE!MTB
GData	Gen:Variant.MSILPerseus.236843
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win32.RL_MSILKrypt.C4204859
McAfee	PWS-FCRK!8446EB1134AC
MAX	malware (ai score=83)
VBA32	TScope.Trojan.MSIL
Malwarebytes	Trojan.MalPack.PNG.Generic
ESET-NOD32	a variant of MSIL/Kryptik.YDG
Rising	Trojan.GenKryptik!8.AA55 (CLOUD)
Yandex	Trojan.AvsArher.bUatV3
Ikarus	Trojan.MSIL.Crypt
eGambit	Unsafe.AI_Score_99%
Fortinet	MSIL/Kryptik.YBV!tr
BitDefenderTheta	Gen:NN.ZemsilF.34628.Sm0@aqxtxMm
AVG	Win32:TrojanX-gen [Trj]
Cybereason	malicious.134ac6

xckex.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All