Report - ZeroBOX

ScreenShot

Info
Location map


Created	2022.12.10 14:57	Machine	s1_win7_x6403
Filename	svcrun.exe
Type	MS-DOS executable
AI Score	5	Behavior Score	2.6
ZERO API	file : malware
VT API (file)	14 detected (malicious, high confidence, GenCBL, Bobik, score, Krypt, Detected, Sabsik, CLOUD, susgen, confidence)
md5	fe99d84663aac2ced931d6f608103362
sha256	5b97dac5b556f97822f278cd3110dc70ec347bfc624d09d204489b21e554af46
ssdeep	49152:2CNyAT12PtS32RHZBY7FAFp4oPXuye7FZGvxvoufplm5Pvto2m1Hjx9q/S/GlNnM:SnwAFp4oPXuNZGvxlfpkVtopVxKniVR
imphash	cccaa432ffcbf2374bb59c6e72aeeefc
impfuzzy	3:tgW6IEouLdAIE3ld9CA4SOGXguvCvAXwSx2AEn:CuEoMSlqyzg6k4En

Network IP location

Signature (7cnts)

Level	Description
watch	File has been identified by 14 AntiVirus engines on VirusTotal as malicious
watch	Tries to unhook Windows functions monitored by Cuckoo
notice	Allocates read-write-execute memory (usually to unpack itself)
notice	The binary likely contains encrypted or compressed data indicative of a packer
info	One or more processes crashed
info	The executable contains unknown PE section names indicative of a packer (could be a false positive)
info	The file contains an unknown PE resource name possibly indicative of a packer

Rules (4cnts)

Level	Name	Description	Collection
watch	UPX_Zero	UPX packed file	binaries (upload)
info	Is_DotNET_EXE	(no description)	binaries (upload)
info	IsPE64	(no description)	binaries (upload)
info	PE_Header_Zero	PE File Signature	binaries (upload)

Network (0cnts) ?

Request	CC	ASN Co	IP4	Rule ?	ZERO ?

Suricata ids

PE API

IAT(Import Address Table) Library

shell32.dll
0x870078 ShellAboutA
mscoree.dll
0x870098 _CorExeMain
advapi32.dll
0x8700b8 RegOpenKeyExW
user32.dll
0x8700d8 WaitMessage
kernel32.dll
0x8700f8 GetModuleHandleA

EAT(Export Address Table) is none

Report - svcrun.exe

Signature (7cnts)

Rules (4cnts)

Network (0cnts) ?

Suricata ids

PE API

Similarity measure (PE file only) - Checking for service failure