Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Aug. 19, 2024, 2:07 p.m.	Aug. 19, 2024, 2:34 p.m.

Size	2.6MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`2fea7433bc9da61258ef5e0856271420`
SHA256	`080341823d2fdc0977e2f30947b5bbfafe2c8f6fe808f06e1a7859d88359de8d`
CRC32	`6B3AF0D7`
ssdeep	`49152:uDg5BKHqR+ZPYnqJxLXJJRTk7WHAFjjdjjA/YiY0Y0Y0Y0YI:uD6sC+yqJ1XJnk7WHAFjjdjjA/YiY0YC`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature DllRegisterServer_Zero - execute regsvr32.exe IsPE32 - (no description) UPX_Zero - UPX packed file mzp_file_format - MZP(Delphi) file format

TMS_C020.exe "C:\Users\test22\AppData\Local\Temp\TMS_C020.exe"
2060

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 events)

section	CODE
section	DATA
section	BSS

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Aug. 19, 2024, 2:07 p.m.	stacktrace: tms_c020+0x18e130 @ 0x58e130 tms_c020+0x18e07e @ 0x58e07e tms_c020+0x18e03f @ 0x58e03f tms_c020+0x19e731 @ 0x59e731 tms_c020+0x1a2373 @ 0x5a2373 tms_c020+0x1a2689 @ 0x5a2689 tms_c020+0x1a283a @ 0x5a283a tms_c020+0x1a167c @ 0x5a167c tms_c020+0x1a18b8 @ 0x5a18b8 tms_c020+0x1a1998 @ 0x5a1998 tms_c020+0x1a4455 @ 0x5a4455 tms_c020+0x1a42ec @ 0x5a42ec tms_c020+0x1d458e @ 0x5d458e tms_c020+0x710a7 @ 0x4710a7 tms_c020+0x59143 @ 0x459143 tms_c020+0x5c090 @ 0x45c090 tms_c020+0x58f13 @ 0x458f13 tms_c020+0x5bbe4 @ 0x45bbe4 tms_c020+0x5bc4f @ 0x45bc4f tms_c020+0x5c090 @ 0x45c090 tms_c020+0x58f13 @ 0x458f13 tms_c020+0x57c3c @ 0x457c3c tms_c020+0x1d727a @ 0x5d727a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xeedfade exception.offset: 46887 exception.address: 0x7559b727 registers.esp: 1636132 registers.edi: 1636320 registers.eax: 1636132 registers.ebp: 1636212 registers.edx: 0 registers.ebx: 5826696 registers.esi: 10061 registers.ecx: 7	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

Aug. 19, 2024, 2:07 p.m.

stacktrace:

tms_c020+0x18e130 @ 0x58e130
tms_c020+0x18e07e @ 0x58e07e
tms_c020+0x18e03f @ 0x58e03f
tms_c020+0x19e731 @ 0x59e731
tms_c020+0x1a2373 @ 0x5a2373
tms_c020+0x1a2689 @ 0x5a2689
tms_c020+0x1a283a @ 0x5a283a
tms_c020+0x1a167c @ 0x5a167c
tms_c020+0x1a18b8 @ 0x5a18b8
tms_c020+0x1a1998 @ 0x5a1998
tms_c020+0x1a4455 @ 0x5a4455
tms_c020+0x1a42ec @ 0x5a42ec
tms_c020+0x1d458e @ 0x5d458e
tms_c020+0x710a7 @ 0x4710a7
tms_c020+0x59143 @ 0x459143
tms_c020+0x5c090 @ 0x45c090
tms_c020+0x58f13 @ 0x458f13
tms_c020+0x5bbe4 @ 0x45bbe4
tms_c020+0x5bc4f @ 0x45bc4f
tms_c020+0x5c090 @ 0x45c090
tms_c020+0x58f13 @ 0x458f13
tms_c020+0x57c3c @ 0x457c3c
tms_c020+0x1d727a @ 0x5d727a
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0xeedfade
exception.offset: 46887
exception.address: 0x7559b727
registers.esp: 1636132
registers.edi: 1636320
registers.eax: 1636132
registers.ebp: 1636212
registers.edx: 0
registers.ebx: 5826696
registers.esi: 10061
registers.ecx: 7

Allocates read-write-execute memory (usually to unpack itself) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Aug. 19, 2024, 2:07 p.m.	process_identifier: 2060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0

Foreign language identified in PE resource (3 events)

name

RT_ICON

language

LANG_CHINESE

filetype

dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 49, next used block 48059

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x002094cc

size

0x000002e8

name

RT_GROUP_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x002a5108

size

0x00000014

name

RT_VERSION

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x002a511c

size

0x00000274

File has been identified by 11 AntiVirus engines on VirusTotal as malicious (11 events)

ALYac	Gen:Variant.Strictor.291372
VIPRE	Gen:Variant.Strictor.291372
BitDefender	Trojan.GenericKD.73864574
Cybereason	malicious.3bc9da
Arcabit	Trojan.Generic.D4614FE0
MicroWorld-eScan	Trojan.GenericKD.73864574
Emsisoft	Trojan.GenericKD.73864574 (B)
FireEye	Trojan.GenericKD.73864574
MAX	malware (ai score=82)
GData	Trojan.GenericKD.73864574
TrendMicro-HouseCall	TROJ_GEN.R014H09HI24

TMS_C020.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All