Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	April 1, 2021, 6:23 p.m.	April 1, 2021, 6:25 p.m.

Size	2.4MB
Type	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Dec 11 11:47:44 2009, Security: 0, Code page: 936, Revision Number: {54584F2F-8F2E-4DE4-8EC0-7259F4D8C778}, Number of Words: 2, Subject: FONDQXIMSYHLISNDBCFPGGQDFFXNKBARIRJH, Author: FONDQXIMSYHLISNDBCFPGGQDFFXNKBARIRJH, Name of Creating Application: Advanced Installer 16.3 build ee189028, Template: ;2052, Comments: FONDQXIMSYHLISNDBCFPGGQDFFXNKBARIRJH , Title: Installation Database, Keywords: Installer, MSI, Database, Number of Pages: 200
MD5	`bde37153b7f4e860adba6bbdf91220e5`
SHA256	`5ef702036c5c3aa2d0b6d8650e20b2c5f55776c69eebf8c700f1770b56a35c35`
CRC32	`887BA701`
ssdeep	`49152:2WHZBWVq9qVvReQ9IOsPOyHxGNzmv9NcHaTorKMIJM:huReOIOsPOyRUeN+rKMgM`
Yara	Win32_Trojan_Gen_2_0904B0_Zero - Win32 Trojan Gen OS_Processor_Check_Zero - OS Processor Check Signature Zero

WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE" C:\Users\test22\AppData\Local\Temp\0BC8EC41.moe
7140

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
172.217.25.14	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Allocates read-write-execute memory (usually to unpack itself) (15 events)

Time & API	Arguments	Status
NtProtectVirtualMemory April 1, 2021, 6:23 p.m.	process_identifier: 7140 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x70b91000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 1, 2021, 6:23 p.m.	process_identifier: 7140 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x70bc0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 1, 2021, 6:23 p.m.	process_identifier: 7140 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x745f1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 1, 2021, 6:23 p.m.	process_identifier: 7140 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x745f2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 1, 2021, 6:23 p.m.	process_identifier: 7140 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x743e1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 1, 2021, 6:23 p.m.	process_identifier: 7140 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x743eb000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 1, 2021, 6:23 p.m.	process_identifier: 7140 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x1000c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 1, 2021, 6:23 p.m.	process_identifier: 7140 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73c81000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 1, 2021, 6:23 p.m.	process_identifier: 7140 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73c86000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 1, 2021, 6:23 p.m.	process_identifier: 7140 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x736f1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 1, 2021, 6:23 p.m.	process_identifier: 7140 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x736fb000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 1, 2021, 6:23 p.m.	process_identifier: 7140 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72931000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 1, 2021, 6:23 p.m.	process_identifier: 7140 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72937000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 1, 2021, 6:23 p.m.	process_identifier: 7140 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x743e1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 1, 2021, 6:23 p.m.	process_identifier: 7140 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x743eb000 process_handle: 0xffffffff	1

Creates (office) documents on the filesystem (2 events)

file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRD0001.doc
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRD0000.doc

Creates hidden or system file (1 event)

Time & API	Arguments	Status	Return	Repeated
NtCreateFile April 1, 2021, 6:23 p.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x000003d8 filepath: C:\Users\test22\AppData\Local\Temp\~$C8EC41.moe desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\AppData\Local\Temp\~$C8EC41.moe create_options: 4194400 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 2 (FILE_CREATED) share_access: 0 ()	1	0	0

Communicates with host for which no DNS query was performed (1 event)

host

172.217.25.14

File has been identified by 41 AntiVirus engines on VirusTotal as malicious (41 events)

MicroWorld-eScan	Trojan.GenericKD.34808935
ClamAV	Win.Trojan.Perkiler-9761334-0
CAT-QuickHeal	Trojan.Perkiler
McAfee	Artemis!9310708F07B2
Zillya	Trojan.Delf.Win32.126018
AegisLab	Trojan.Win32.Generic.4!c
Sangfor	Trojan.Win32.Save.a
Baidu	Multi.Threats.InArchive
Cyren	W32/Downloader.UL.gen!Eldorado
ESET-NOD32	multiple detections
TrendMicro-HouseCall	Trojan.Win32.PERKILER.A
Avast	Win32:Agent-BCLH [Trj]
Cynet	Malicious (score: 85)
Kaspersky	Trojan.VBS.Agent.avh
BitDefender	Trojan.GenericKD.34808935
NANO-Antivirus	Trojan.Win32.Perkiler.hmymnc
ViRobot	Trojan.Win32.S.Agent.2483200
Rising	Trojan.PurpleFox/MSI!1.D10D (CLASSIC)
Ad-Aware	Trojan.GenericKD.34808935
Emsisoft	Trojan.GenericKD.34808935 (B)
Comodo	Malware@#2po5thwce7m33
DrWeb	Trojan.NtRootKit.19938
TrendMicro	Trojan.Win32.PERKILER.A
FireEye	Trojan.GenericKD.34808935
Sophos	Mal/VMProtBad-A
Avira	TR/Dldr.Delf.pvour
Kingsoft	Win32.Troj.Perkiler.k.(kcloud)
Microsoft	TrojanDownloader:Win32/Yantai!MSR
Gridinsoft	Ransom.U.Wacatac.vb
Arcabit	Trojan.Generic.D2132467
ZoneAlarm	HEUR:Trojan.Win32.Generic
GData	Script.Trojan.PurpleFox.D
AhnLab-V3	Dropper/MSI.PurpleFox
VBA32	BScope.Trojan.Wacatac
ALYac	Trojan.GenericKD.34808935
Tencent	Malware.Win32.Gencirc.10ce3cbc
MAX	malware (ai score=94)
Fortinet	W32/Perkiler.LAA!tr
BitDefenderTheta	Gen:NN.ZedlaF.34654.@V7@aCrr@Ah
AVG	Win32:Agent-BCLH [Trj]
Qihoo-360	Win32/Trojan.Generic.HgAASQ8A

0BC8EC41.moe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All