Report - ZeroBOX

ScreenShot

Info
Location map


Created	2023.03.24 11:31	Machine	s1_win7_x6401
Filename	svchost.exe
Type	PE32+ executable (GUI) x86-64, for MS Windows
AI Score	3	Behavior Score	0.6
ZERO API	file : clean
VT API (file)
md5	8ec922c7a58a8701ab481b7be9644536
sha256	949bfb5b4c7d58d92f3f9c5f8ec7ca4ceaffd10ec5f0020f0a987c472d61c54b
ssdeep	1536:rCmo9IYGnNMilsG6DygaOJQeYo2x8h3P2zD:oGnmi96DyLPed2i3e3
imphash	76b4bae80d2c3b08bb062d97bf9ca791
impfuzzy	96:MALWaDCUIUpEp3x0hlXR7YnxjeZ4C2vrD1rvwT+wKz/eQP5EbsQxh:MQDCUI+O3x0Dh7UxjeMwKz/eQy7xh

Network IP location

Signature (3cnts)

Level	Description
info	The executable contains unknown PE section names indicative of a packer (could be a false positive)
info	The file contains an unknown PE resource name possibly indicative of a packer
info	This executable has a PDB path

Rules (6cnts)

Level	Name	Description	Collection
danger	Win32_Trojan_Gen_1_0904B0_Zero	Win32 Trojan Emotet	binaries (upload)
watch	Malicious_Packer_Zero	Malicious Packer	binaries (upload)
watch	UPX_Zero	UPX packed file	binaries (upload)
info	IsPE64	(no description)	binaries (upload)
info	PE_Header_Zero	PE File Signature	binaries (upload)
info	Win32_Trojan_Gen_2_0904B0_Zero	Win32 Trojan Gen	binaries (upload)

Network (0cnts) ?

Request	CC	ASN Co	IP4	Rule ?	ZERO ?

Suricata ids

PE API

IAT(Import Address Table) Library

api-ms-win-core-crt-l2-1-0.dll
0x140008388 exit
0x140008390 _initterm_e
0x140008398 _initterm
0x1400083a0 __wgetmainargs
api-ms-win-core-profile-l1-1-0.dll
0x140008500 QueryPerformanceCounter
api-ms-win-core-processthreads-l1-1-0.dll
0x1400084a0 GetCurrentProcessId
0x1400084a8 OpenProcessToken
0x1400084b0 ExitProcess
0x1400084b8 GetCurrentThreadId
0x1400084c0 GetCurrentProcess
0x1400084c8 SetProcessAffinityUpdateMode
0x1400084d0 TerminateProcess
api-ms-win-core-sysinfo-l1-1-0.dll
0x140008610 GetTickCount
0x140008618 GetTickCount64
0x140008620 GetSystemTimeAsFileTime
api-ms-win-core-rtlsupport-l1-1-0.dll
0x140008548 RtlVirtualUnwind
0x140008550 RtlLookupFunctionEntry
0x140008558 RtlCaptureContext
api-ms-win-core-errorhandling-l1-1-0.dll
0x1400083e0 SetUnhandledExceptionFilter
0x1400083e8 UnhandledExceptionFilter
0x1400083f0 SetErrorMode
0x1400083f8 GetLastError
api-ms-win-core-crt-l1-1-0.dll
0x140008360 qsort_s
0x140008368 memset
0x140008370 memcpy
0x140008378 _wcsicmp
api-ms-win-eventing-provider-l1-1-0.dll
0x140008650 EventSetInformation
0x140008658 EventRegister
0x140008660 EventWriteTransfer
api-ms-win-core-libraryloader-l1-2-0.dll
0x140008458 LoadLibraryExW
0x140008460 FreeLibrary
0x140008468 GetProcAddress
api-ms-win-core-heap-l1-1-0.dll
0x140008418 HeapFree
0x140008420 HeapAlloc
0x140008428 HeapSetInformation
0x140008430 GetProcessHeap
api-ms-win-core-synch-l1-1-0.dll
0x1400085b0 ReleaseSRWLockExclusive
0x1400085b8 EnterCriticalSection
0x1400085c0 ReleaseSRWLockShared
0x1400085c8 LeaveCriticalSection
0x1400085d0 AcquireSRWLockExclusive
0x1400085d8 AcquireSRWLockShared
0x1400085e0 InitializeSRWLock
api-ms-win-core-string-l1-1-0.dll
0x140008590 CompareStringOrdinal
0x140008598 MultiByteToWideChar
0x1400085a0 WideCharToMultiByte
api-ms-win-core-registry-l1-1-0.dll
0x140008510 RegQueryValueExW
0x140008518 RegGetValueW
0x140008520 RegCloseKey
0x140008528 RegEnumKeyExW
0x140008530 RegDisablePredefinedCacheEx
0x140008538 RegOpenKeyExW
api-ms-win-core-processenvironment-l1-1-0.dll
0x140008488 GetCommandLineW
0x140008490 ExpandEnvironmentStringsW
api-ms-win-core-processthreads-l1-1-1.dll
0x1400084e0 SetProcessMitigationPolicy
api-ms-win-core-processthreads-l1-1-2.dll
0x1400084f0 SetProtectedPolicy
api-ms-win-core-synch-l1-2-0.dll
0x1400085f0 InitializeConditionVariable
0x1400085f8 WakeAllConditionVariable
0x140008600 SleepConditionVariableSRW
api-ms-win-core-debug-l1-1-0.dll
0x1400083b0 DebugBreak
api-ms-win-core-localization-l1-2-0.dll
0x140008478 LCMapStringW
api-ms-win-security-base-l1-1-0.dll
0x140008670 MakeAbsoluteSD
0x140008678 GetTokenInformation
0x140008680 SetSecurityDescriptorOwner
0x140008688 AddAccessAllowedAce
0x140008690 SetSecurityDescriptorGroup
0x140008698 GetLengthSid
0x1400086a0 InitializeAcl
0x1400086a8 SetSecurityDescriptorDacl
0x1400086b0 InitializeSecurityDescriptor
api-ms-win-core-handle-l1-1-0.dll
0x140008408 CloseHandle
api-ms-win-core-delayload-l1-1-1.dll
0x1400083d0 ResolveDelayLoadedAPI
api-ms-win-core-delayload-l1-1-0.dll
0x1400083c0 DelayLoadFailureHook
api-ms-win-crt-utility-l1-1-0.dll
0x140008640 search_s
api-ms-win-core-sidebyside-l1-1-0.dll
0x140008568 ActivateActCtx
0x140008570 DeactivateActCtx
0x140008578 ReleaseActCtx
0x140008580 CreateActCtxW
api-ms-win-core-threadpool-private-l1-1-0.dll
0x140008630 RegisterWaitForSingleObjectEx
ntdll.dll
0x1400086c0 TpSetWait
0x1400086c8 RtlNtStatusToDosErrorNoTeb
0x1400086d0 EtwEventRegister
0x1400086d8 EtwEventEnabled
0x1400086e0 EtwEventWrite
0x1400086e8 RtlAllocateHeap
0x1400086f0 RtlFreeHeap
0x1400086f8 TpSetTimerEx
0x140008700 TpWaitForTimer
0x140008708 TpReleaseTimer
0x140008710 TpSetTimer
0x140008718 TpAllocTimer
0x140008720 RtlQueryHeapInformation
0x140008728 TpAllocWait
0x140008730 _vsnwprintf
0x140008738 RtlUnhandledExceptionFilter
0x140008740 NtSetInformationProcess
0x140008748 RtlSetProcessIsCritical
0x140008750 RtlImageNtHeader
0x140008758 RtlValidSecurityDescriptor
0x140008760 RtlRunOnceExecuteOnce
0x140008768 NtQuerySystemInformation
0x140008770 RtlNtStatusToDosError
0x140008778 RtlInitializeCriticalSection
0x140008780 RtlInitializeSid
0x140008788 RtlSubAuthoritySid
0x140008790 RtlGetDeviceFamilyInfoEnum
0x140008798 RtlReleaseSRWLockExclusive
0x1400087a0 RtlSubAuthorityCountSid
0x1400087a8 RtlAcquireSRWLockExclusive
0x1400087b0 RtlLengthRequiredSid
0x1400087b8 RtlDeriveCapabilitySidsFromName
0x1400087c0 RtlCopySid
0x1400087c8 TpReleaseWait
api-ms-win-core-heap-l2-1-0.dll
0x140008440 LocalFree
0x140008448 LocalAlloc

EAT(Export Address Table) is none

Report - svchost.exe

Signature (3cnts)

Rules (6cnts)

Network (0cnts) ?

Suricata ids

PE API

Similarity measure (PE file only) - Checking for service failure