popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

notepad.exe

Antivirus
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 April 10, 2021, 8:54 a.m. April 10, 2021, 9 a.m.
Size 2.6MB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 edd497e6d8795ec05a61fa9bcaabc9a0
SHA256 745d2e72318d1c549b1ffce8fbd3a9bde3a3358979f48756197cc5d8f85f3544
CRC32 37BD9C85
ssdeep 49152:GADCa/jpFxbwCUrQgHn9bSEmurvEcRHmx2cD4aiNipz9V:GAWa/1b/UrDH9BnIcdmEcD45I9V
Yara
  • Antivirus - Contains references to security software
  • win_registry - Affect system registries
  • win_files_operation - Affect private profile
  • PE_Header_Zero - PE File Signature Zero
  • IsPE32 - (no description)
  • IsWindowsGUI - (no description)
  • IsPacked - Entropy Check
  • HasOverlay - Overlay Check
  • HasRichSignature - Rich Signature Check

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
164.124.101.2 Active Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

__exception__

 stacktrace: 
EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf
rtcDoEvents+0x131 __vbaError-0x626 msvbvm60+0xce228 @ 0x72a0e228

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0xc000008f
exception.offset: 46887
exception.address: 0x76a7b727
registers.esp: 1636868
registers.edi: 2901632
registers.eax: 1636868
registers.ebp: 1636948
registers.edx: 0
registers.ebx: 2901632
registers.esi: 2901632
registers.ecx: 2
1 0 0
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 1468
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72d72000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1468
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x024e0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1468
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x024f0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1468
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02500000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1468
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02510000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1468
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02520000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1468
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02790000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0
name RT_STRING language LANG_LITHUANIAN filetype data sublanguage SUBLANG_LITHUANIAN_CLASSIC offset 0x000d73e0 size 0x00000028
name RT_STRING language LANG_LITHUANIAN filetype data sublanguage SUBLANG_LITHUANIAN_CLASSIC offset 0x000d73e0 size 0x00000028
name RT_STRING language LANG_LITHUANIAN filetype data sublanguage SUBLANG_LITHUANIAN_CLASSIC offset 0x000d73e0 size 0x00000028
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 1468
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 24576
protection: 32 (PAGE_EXECUTE_READ)
base_address: 0x00710000
process_handle: 0xffffffff
1 0 0
description Affect system registries rule win_registry
description Affect system token rule win_token
description Affect private profile rule win_files_operation
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vba
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
buffer Buffer with sha1: 1e45c19599479a6673c137ed59386b56696b4949
buffer Buffer with sha1: 156578aa646b102794128ef2c4cd58a8217103a0
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 1224
region_size: 6991872
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x793d0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000164
1 0 0
Process injection Process 1468 manipulating memory of non-child process 1224
Time & API Arguments Status Return Repeated

NtUnmapViewOfSection

 base_address: 0x793d6a79
region_size: 96313344
process_identifier: 1224
process_handle: 0x00000164
3221225497 0

NtAllocateVirtualMemory

 process_identifier: 1224
region_size: 6991872
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x793d0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000164
1 0 0
Process injection Process 1468 injected into non-child 1224
Time & API Arguments Status Return Repeated

WriteProcessMemory

 buffer: yj=y
base_address: 0x7efde008
process_identifier: 1224
process_handle: 0x00000164
1 1 0
Bkav W32.AIDetect.malware2
Elastic malicious (high confidence)
FireEye Generic.mg.edd497e6d8795ec0
Cylance Unsafe
BitDefenderTheta Gen:NN.ZevbaF.34670.Oo3@a8Gk6ZgO
Symantec ML.Attribute.HighConfidence
ESET-NOD32 a variant of Win32/Injector.DMOQ
APEX Malicious
Avast FileRepMalware
Sophos ML/PE-A
Microsoft Trojan:Win32/Wacatac.B!ml
Malwarebytes Malware.AI.2168864649
SentinelOne Static AI - Suspicious PE
AVG FileRepMalware
Qihoo-360 HEUR/QVM03.0.798A.Malware.Gen
Process injection Process 1468 called NtSetContextThread to modify thread in remote process 1224
Time & API Arguments Status Return Repeated

NtSetContextThread

 registers.eip: 2000355780
registers.esp: 1638384
registers.edi: 0
registers.eax: -1900647815
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x000000f8
process_identifier: 1224
1 0 0
Process injection Process 1468 resumed a thread in remote process 1224
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x000000f8
suspend_count: 1
process_identifier: 1224
1 0 0
Time & API Arguments Status Return Repeated

CreateProcessInternalW

 thread_identifier: 2260
thread_handle: 0x000000f8
process_identifier: 1224
current_directory:
filepath: C:\Users\test22\AppData\Local\Temp\notepad.exe
track: 1
command_line:
filepath_r: C:\Users\test22\AppData\Local\Temp\notepad.EXE
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
inherit_handles: 0
process_handle: 0x00000164
1 1 0

NtUnmapViewOfSection

 base_address: 0x793d6a79
region_size: 96313344
process_identifier: 1224
process_handle: 0x00000164
3221225497 0

NtAllocateVirtualMemory

 process_identifier: 1224
region_size: 6991872
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x793d0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000164
1 0 0

WriteProcessMemory

 buffer:
base_address: 0x793d6a79
process_identifier: 1224
process_handle: 0x00000164
0 0

WriteProcessMemory

 buffer:
base_address: 0xf2b6afd9
process_identifier: 1224
process_handle: 0x00000164
0 0

WriteProcessMemory

 buffer:
base_address: 0x1ce6b02f
process_identifier: 1224
process_handle: 0x00000164
0 0

WriteProcessMemory

 buffer:
base_address: 0xe1b6e3be
process_identifier: 1224
process_handle: 0x00000164
0 0

WriteProcessMemory

 buffer:
base_address: 0x797e361a
process_identifier: 1224
process_handle: 0x00000164
0 0

WriteProcessMemory

 buffer:
base_address: 0xba090bb9
process_identifier: 1224
process_handle: 0x00000164
0 0

WriteProcessMemory

 buffer:
base_address: 0xe8e40be8
process_identifier: 1224
process_handle: 0x00000164
0 0

WriteProcessMemory

 buffer:
base_address: 0xbce813be
process_identifier: 1224
process_handle: 0x00000164
0 0

WriteProcessMemory

 buffer:
base_address: 0xe3e813be
process_identifier: 1224
process_handle: 0x00000164
0 0

WriteProcessMemory

 buffer:
base_address: 0x1fde6ab9
process_identifier: 1224
process_handle: 0x00000164
0 0

WriteProcessMemory

 buffer:
base_address: 0xd08dd3be
process_identifier: 1224
process_handle: 0x00000164
0 0

WriteProcessMemory

 buffer:
base_address: 0x227c6ab9
process_identifier: 1224
process_handle: 0x00000164
0 0

WriteProcessMemory

 buffer:
base_address: 0xa952e3e8
process_identifier: 1224
process_handle: 0x00000164
0 0

WriteProcessMemory

 buffer:
base_address: 0x817ea9f2
process_identifier: 1224
process_handle: 0x00000164
0 0

WriteProcessMemory

 buffer:
base_address: 0xd69ea9d4
process_identifier: 1224
process_handle: 0x00000164
0 0

WriteProcessMemory

 buffer:
base_address: 0x1ab6dfd6
process_identifier: 1224
process_handle: 0x00000164
0 0

WriteProcessMemory

 buffer:
base_address: 0xf2e113ee
process_identifier: 1224
process_handle: 0x00000164
0 0

WriteProcessMemory

 buffer:
base_address: 0xc286b3c2
process_identifier: 1224
process_handle: 0x00000164
0 0

WriteProcessMemory

 buffer:
base_address: 0xf67c6ad6
process_identifier: 1224
process_handle: 0x00000164
0 0

WriteProcessMemory

 buffer:
base_address: 0xf2b6df81
process_identifier: 1224
process_handle: 0x00000164
0 0

WriteProcessMemory

 buffer:
base_address: 0xba7d0e22
process_identifier: 1224
process_handle: 0x00000164
0 0

WriteProcessMemory

 buffer:
base_address: 0xf2b6dfb8
process_identifier: 1224
process_handle: 0x00000164
0 0

WriteProcessMemory

 buffer:
base_address: 0xb85fdee8
process_identifier: 1224
process_handle: 0x00000164
0 0

WriteProcessMemory

 buffer:
base_address: 0xd77e9dd8
process_identifier: 1224
process_handle: 0x00000164
0 0

WriteProcessMemory

 buffer:
base_address: 0x4cdfa9c9
process_identifier: 1224
process_handle: 0x00000164
0 0

WriteProcessMemory

 buffer:
base_address: 0xba7ce3f2
process_identifier: 1224
process_handle: 0x00000164
0 0

WriteProcessMemory

 buffer:
base_address: 0x1b45abb8
process_identifier: 1224
process_handle: 0x00000164
0 0

WriteProcessMemory

 buffer:
base_address: 0x8634135f
process_identifier: 1224
process_handle: 0x00000164
0 0

WriteProcessMemory

 buffer:
base_address: 0xbae40b81
process_identifier: 1224
process_handle: 0x00000164
0 0

WriteProcessMemory

 buffer:
base_address: 0xeee40bb8
process_identifier: 1224
process_handle: 0x00000164
0 0

WriteProcessMemory

 buffer:
base_address: 0xeee40bb8
process_identifier: 1224
process_handle: 0x00000164
0 0

WriteProcessMemory

 buffer:
base_address: 0x1be63e1b
process_identifier: 1224
process_handle: 0x00000164
0 0

WriteProcessMemory

 buffer:
base_address: 0xbce813de
process_identifier: 1224
process_handle: 0x00000164
0 0

WriteProcessMemory

 buffer:
base_address: 0xf23dab44
process_identifier: 1224
process_handle: 0x00000164
0 0

WriteProcessMemory

 buffer:
base_address: 0x1a45abb8
process_identifier: 1224
process_handle: 0x00000164
0 0

WriteProcessMemory

 buffer:
base_address: 0xca3d6a7d
process_identifier: 1224
process_handle: 0x00000164
0 0

WriteProcessMemory

 buffer:
base_address: 0x1fde72ba
process_identifier: 1224
process_handle: 0x00000164
0 0

WriteProcessMemory

 buffer:
base_address: 0xb8b6e3bc
process_identifier: 1224
process_handle: 0x00000164
0 0

WriteProcessMemory

 buffer:
base_address: 0xba9ac5d7
process_identifier: 1224
process_handle: 0x00000164
0 0

WriteProcessMemory

 buffer:
base_address: 0xba7ce3f2
process_identifier: 1224
process_handle: 0x00000164
0 0

WriteProcessMemory

 buffer:
base_address: 0xde8ec079
process_identifier: 1224
process_handle: 0x00000164
0 0

WriteProcessMemory

 buffer:
base_address: 0xde49dff2
process_identifier: 1224
process_handle: 0x00000164
0 0

WriteProcessMemory

 buffer:
base_address: 0x793fa9de
process_identifier: 1224
process_handle: 0x00000164
0 0

WriteProcessMemory

 buffer:
base_address: 0xba9ac5d7
process_identifier: 1224
process_handle: 0x00000164
0 0

WriteProcessMemory

 buffer:
base_address: 0x817ea9f2
process_identifier: 1224
process_handle: 0x00000164
0 0

WriteProcessMemory

 buffer:
base_address: 0x1b3d6a79
process_identifier: 1224
process_handle: 0x00000164
0 0

WriteProcessMemory

 buffer:
base_address: 0x797e361a
process_identifier: 1224
process_handle: 0x00000164
0 0