popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

winlog.exe

  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6402 April 8, 2021, 5:45 p.m. April 8, 2021, 7:45 p.m.
Size 201.3KB
Type PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5 d074162909d26edf4001380da0ae4743
SHA256 7b1f7ca6d7203473484a7f221f68c56eff50d196db18a18e9fcf0142dd60a02d
CRC32 6636A615
ssdeep 3072:NeYBCwqDxkJ0JhMm5oxkYrVfsd4WzJMJ7UEIyO340xtHIA9h1dfcBErq2pP6960C:NDI3hMuAydbNEI7rHIA9h1dEOeztC
Yara
  • escalate_priv - Escalade priviledges
  • screenshot - Take screenshot
  • win_registry - Affect system registries
  • win_token - Affect system token
  • win_private_profile - Affect private profile
  • win_files_operation - Affect private profile
  • PE_Header_Zero - PE File Signature Zero
  • IsPE32 - (no description)
  • IsWindowsGUI - (no description)
  • IsPacked - Entropy Check
  • HasOverlay - Overlay Check
  • HasRichSignature - Rich Signature Check

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
172.217.25.14 Active Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
section .ndata
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 5620
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x01f10000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3804
region_size: 3158016
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x008b0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0
file C:\Users\test22\AppData\Local\Temp\nsjFFB6.tmp\uyx3hk1pib54.dll
file C:\Users\test22\AppData\Local\Temp\nsjFFB6.tmp\uyx3hk1pib54.dll
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
host 172.217.25.14
Process injection Process 5620 called NtSetContextThread to modify thread in remote process 3804
Time & API Arguments Status Return Repeated

NtSetContextThread

 registers.eip: 2000355780
registers.esp: 1638384
registers.edi: 0
registers.eax: 4313280
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x00000210
process_identifier: 3804
1 0 0
MicroWorld-eScan Gen:Variant.Jaik.45029
FireEye Gen:Variant.Jaik.45029
Sangfor Trojan.Win32.Save.a
K7AntiVirus Riskware ( 0040eff71 )
K7GW Riskware ( 0040eff71 )
Cyren W32/Injector.AGW.gen!Eldorado
ESET-NOD32 a variant of Win32/Injector.EPBH
APEX Malicious
Avast Win32:PWSX-gen [Trj]
Kaspersky UDS:DangerousObject.Multi.Generic
BitDefender Gen:Variant.Jaik.45029
Ad-Aware Gen:Variant.Jaik.45029
Emsisoft Gen:Variant.Jaik.45029 (B)
MAX malware (ai score=83)
Microsoft Trojan:Win32/Wacatac.B!ml
GData Win32.Trojan-Stealer.FormBook.AOR85Z
Cynet Malicious (score: 100)
AhnLab-V3 Malware/Win.Reputation.R415087
Rising Trojan.Injector!8.C4 (TFE:dGZlOgamYCdEnTltqQ)
Fortinet W32/Injector.EPBA!tr
AVG Win32:PWSX-gen [Trj]
Qihoo-360 QVM42.0.Malware.Gen