Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	April 16, 2021, 6:48 p.m.	April 16, 2021, 6:50 p.m.

Size	7.9MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
MD5	`66e25d4c12fb491e0a5c5b8dcd9fa85a`
SHA256	`719773cb460bbc9727a5287e754edd398ead64879d229afb6130638e5dde9d19`
CRC32	`83A45FFE`
ssdeep	`196608:x4zB7jSSso98MbfUZ+aBZVPgYY5hn3WMKrXsQX1lnkM7W4eluPlEf:x4ZSS8Of++a1ItDnGTIQXvnH7W4elus`
Yara	PE_Header_Zero - PE File Signature Zero win_registry - Affect system registries win_files_operation - Affect private profile IsPE32 - (no description) IsWindowsGUI - (no description) IsPacked - Entropy Check HasOverlay - Overlay Check HasRichSignature - Rich Signature Check

46911997163.exe "C:\Users\test22\AppData\Local\Temp\46911997163.exe"
3024
- EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Office12\EXCEL.EXE" /e
  288
explorer.exe C:\Windows\Explorer.EXE
1848

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent April 16, 2021, 6:48 p.m.			0	0

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\12.0\Registration\{90120000-0030-0000-0000-0000000FF1CE}\DigitalProductID

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx April 16, 2021, 6:48 p.m.		1	1	0

The executable uses a known packer (1 event)

packer

Armadillo v1.71

Allocates read-write-execute memory (usually to unpack itself) (33 events)

Time & API	Arguments	Status
NtProtectVirtualMemory April 16, 2021, 6:48 p.m.	process_identifier: 3024 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73cc2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 16, 2021, 6:48 p.m.	process_identifier: 288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x30053000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 16, 2021, 6:48 p.m.	process_identifier: 288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6ee61000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 16, 2021, 6:48 p.m.	process_identifier: 288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6f3ca000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 16, 2021, 6:48 p.m.	process_identifier: 288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75738000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 16, 2021, 6:48 p.m.	process_identifier: 288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72851000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 16, 2021, 6:48 p.m.	process_identifier: 288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73cc1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 16, 2021, 6:48 p.m.	process_identifier: 288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73cc2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 16, 2021, 6:48 p.m.	process_identifier: 288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72241000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 16, 2021, 6:48 p.m.	process_identifier: 288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72295000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 16, 2021, 6:48 p.m.	process_identifier: 288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72231000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 16, 2021, 6:48 p.m.	process_identifier: 288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72201000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 16, 2021, 6:48 p.m.	process_identifier: 288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x721b1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 16, 2021, 6:48 p.m.	process_identifier: 288 region_size: 983040 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03210000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 16, 2021, 6:48 p.m.	process_identifier: 288 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x032c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory April 16, 2021, 6:48 p.m.	process_identifier: 288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x721a2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 16, 2021, 6:48 p.m.	process_identifier: 288 region_size: 1703936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x036c0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 16, 2021, 6:48 p.m.	process_identifier: 288 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03820000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 16, 2021, 6:48 p.m.	process_identifier: 288 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a70000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 16, 2021, 6:48 p.m.	process_identifier: 288 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory April 16, 2021, 6:48 p.m.	process_identifier: 288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72111000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 16, 2021, 6:48 p.m.	process_identifier: 288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73361000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 16, 2021, 6:48 p.m.	process_identifier: 288 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04220000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 16, 2021, 6:48 p.m.	process_identifier: 288 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04220000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 16, 2021, 6:48 p.m.	process_identifier: 288 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04230000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 16, 2021, 6:48 p.m.	process_identifier: 288 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04260000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory April 16, 2021, 6:48 p.m.	process_identifier: 288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x71fc1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 16, 2021, 6:48 p.m.	process_identifier: 288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7201f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 16, 2021, 6:48 p.m.	process_identifier: 288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7201f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 16, 2021, 6:48 p.m.	process_identifier: 288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73c61000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 16, 2021, 6:48 p.m.	process_identifier: 288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6dbe1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 16, 2021, 6:48 p.m.	process_identifier: 288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6dbe1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 16, 2021, 6:48 p.m.	process_identifier: 288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73d91000 process_handle: 0xffffffff	1

Checks whether any human activity is being performed by constantly checking whether the foreground window changed

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (1 event)

Time & API	Arguments	Status	Return	Repeated
GetDiskFreeSpaceExW April 16, 2021, 6:42 p.m.	total_number_of_free_bytes: 13691863040 free_bytes_available: 13691863040 root_path: C:\ total_number_of_bytes: 34252779520	1	1	0

Foreign language identified in PE resource (6 events)

name

RT_ICON

language

LANG_JAPANESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x00012478

size

0x00000128

name

RT_ICON

language

LANG_JAPANESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x00012478

size

0x00000128

name

RT_DIALOG

language

LANG_JAPANESE

filetype

data

sublanguage

SUBLANG_DEFAULT

offset

0x00012690

size

0x00000124

name

RT_DIALOG

language

LANG_JAPANESE

filetype

data

sublanguage

SUBLANG_DEFAULT

offset

0x00012690

size

0x00000124

name

RT_GROUP_ICON

language

LANG_JAPANESE

filetype

data

sublanguage

SUBLANG_DEFAULT

offset

0x000125a0

size

0x00000022

name

RT_VERSION

language

LANG_JAPANESE

filetype

data

sublanguage

SUBLANG_DEFAULT

offset

0x000127b8

size

0x00000350

Creates (office) documents on the filesystem (47 events)

file	C:\Users\test22\AppData\Local\Temp\201704051001\UpFile\ƒc[ƒ‹.xls
file	C:\Users\test22\AppData\Local\Temp\201704051001\UpFile\ŒÚ‹qƒtƒ@ƒCƒ‹.xls
file	C:\Users\test22\AppData\Local\Temp\201704051001\UpFile\–¾×‘’•¶‘.pdf
file	C:\Users\test22\AppData\Local\Temp\201704051001\UpFile\‘Š‡•\.xls
file	C:\Users\test22\AppData\Local\Temp\201704051001\UpFile\Žx‹‹Tœˆê——c.xls
file	C:\Users\test22\AppData\Local\Temp\201704051001\UpFile\Web–¾×ƒf[ƒ^ì¬.xls
file	C:\Users\test22\AppData\Local\Temp\201704051001\UpFile\•”–å•Êˆê——.xls
file	C:\Users\test22\AppData\Local\Temp\201704051001\UpFile\‘Ž®W\”ñ‹ZŽÒ“™‚ÉŽx•¥‚í‚ê‚é‹‹—^“™‚ÌŽx•¥’²‘‡Œv•\.pdf
file	C:\Users\test22\AppData\Local\Temp\201704051001\UpFile\‘Ž®W\Œ¹òŠ“¾Å‚Ì”[Šú‚Ì“Á—á‚Ì³”F.pdf
file	C:\Users\test22\AppData\Local\Temp\201704051001\UpFile\ƒo[ƒWƒ‡ƒ“î•ñ.xls
file	C:\Users\test22\AppData\Local\Temp\201704051001\UpFile\ƒtƒ@ƒCƒ‹o—Í.xls
file	C:\Users\test22\AppData\Local\Temp\201704051001\UpFile\Œ¹ò’¥Žû•ë.xls
file	C:\Users\test22\AppData\Local\Temp\201704051001\UpFile\—L‹‹Žg—p“ú”.xls
file	C:\Users\test22\AppData\Local\Temp\201704051001\UpFile\”N’²ˆê——•\.xls
file	C:\Users\test22\AppData\Local\Temp\201704051001\UpFile\Œ¹ò’¥Žû•[.xlsm
file	C:\Users\test22\AppData\Local\Temp\201704051001\UpFile\‰ïŽÐ‚ÌŽÐ‰ï•ÛŒ¯—¿.xls
file	C:\Users\test22\AppData\Local\Temp\201704051001\UpFile\Œ¹ò’¥Žû•[2016.xlsm
file	C:\Users\test22\AppData\Local\Temp\201704051001\UpFile\‘ä’ NewŽ‘—¿.xlsm
file	C:\Users\test22\AppData\Local\Temp\201704051001\UpFile\–{”N“ü‘ÞŽÐî•ñ.xls
file	C:\Users\test22\AppData\Local\Temp\201704051001\UpFile\•”–å•Ê‹Î‘Óˆê——.xls
file	C:\Users\test22\AppData\Local\Temp\201704051001\UpFile\ÅŠz•\Ø‘Ö.xls
file	C:\Users\test22\AppData\Local\Temp\201704051001\UpFile\Ü—^“Á—áŒ¹òÅˆóü.xlsx
file	C:\Users\test22\AppData\Local\Temp\201704051001\UpFile\‰ß‹ŽCells‹‹—^.xls
file	C:\Users\test22\AppData\Local\Temp\201704051001\UpFile\Cells‹‹—^•}—{ch.xls
file	C:\Users\test22\AppData\Local\Temp\201704051001\UpFile\ŒÂlî•ñ•À‚Ñ‘Ö‚¦.xls
file	C:\Users\test22\AppData\Local\Temp\201704051001\UpFile\‘O”N’À‹à”äŠr.xls
file	C:\Users\test22\AppData\Local\Temp\201704051001\UpFile\‘Ž®W\”[Šú‚Ì“Á—á‚ÉŠY“–‚µ‚È‚‚È‚Á‚½“Ío.pdf
file	C:\Users\test22\AppData\Local\Temp\201704051001\UpFile\ƒtƒ@ƒCƒ‹‡Œv.xls
file	C:\Users\test22\AppData\Local\Temp\201704051001\UpFile\Z–¯Å“ü—Í.xls
file	C:\Users\test22\AppData\Local\Temp\201704051001\UpFile\Žx•¥ó‹µ“à–ó.xls
file	C:\Users\test22\AppData\Local\Temp\201704051001\ƒZƒ‹ƒY‹‹—^Up.xls
file	C:\Users\test22\AppData\Local\Temp\201704051001\UpFile\”Ž®î•ñ\Šù’è‚Ì”Ž®.xls
file	C:\Users\test22\AppData\Local\Temp\201704051001\UpFile\‘S‹â‹¦ƒR[ƒh.xls
file	C:\Users\test22\AppData\Local\Temp\201704051001\UpFile\‘Ž®W\”ñ‹ZŽÒ“™‚ÉŽx•¥‚í‚ê‚é‹‹—^“™‚ÌŽx•¥’²‘.pdf
file	C:\Users\test22\AppData\Local\Temp\201704051001\UpFile\Cells‹‹—^.xls
file	C:\Users\test22\AppData\Local\Temp\201704051001\UpFile\ƒZƒ‹ƒY•Û‘¶ƒf[ƒ^.xls
file	C:\Users\test22\AppData\Local\Temp\201704051001\UpFile\Œ¹òŠ“¾Å.xls
file	C:\Users\test22\AppData\Local\Temp\201704051001\UpFile\ŒÂlî•ñˆê——•\.xls
file	C:\Users\test22\AppData\Local\Temp\201704051001\UpFile\V‹Kì¬.xls
file	C:\Users\test22\AppData\Local\Temp\201704051001\UpFile\’À‹à•ªÍ.xls
file	C:\Users\test22\AppData\Local\Temp\201704051001\UpFile\‘Ž®W\‘ÞEŠ“¾\‘.pdf
file	C:\Users\test22\AppData\Local\Temp\201704051001\UpFile\‹‹—^‹tŽZ.xls
file	C:\Users\test22\AppData\Local\Temp\201704051001\UpFile\•½‹Ï‹Î‘Óˆê——.xls
file	C:\Users\test22\AppData\Local\Temp\201704051001\UpFile\•”–å•Êˆê——c.xls
file	C:\Users\test22\AppData\Local\Temp\201704051001\UpFile\ƒZƒ‹ƒYkk.xls
file	C:\Users\test22\AppData\Local\Temp\201704051001\UpFile\ÅŠz•\.xls
file	C:\Users\test22\AppData\Local\Temp\201704051001\UpFile\’À‹à‘ä’ Œ“‹Î‘Ó‘ä’ .xls

Creates a shortcut to an executable file (1 event)

file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office\Microsoft Office Excel 2007.lnk

File has been identified by 18 AntiVirus engines on VirusTotal as malicious (18 events)

CAT-QuickHeal	X97M.Dropper.AX
TrendMicro	HEUR_VBA.D
F-Prot	New or modified X97M/Downldr
Symantec	Trojan.Gen.2
ClamAV	Doc.Dropper.Agent-6202847-0
NANO-Antivirus	Trojan.Ole2.Vbs-heuristic.druvzi
Avast	Other:Malware-gen [Trj]
McAfee-GW-Edition	RDN/GenDownloader.avl
Cyren	X97M/Downldr
Jiangmin	TrojanDropper/MSWord.Agent.gj
Antiy-AVL	Trojan[Downloader]/MSOffice.Agent.pua
Microsoft	PUA:Win32/Presenoker
AegisLab	Trojan.Win32.Generic.4!c
McAfee	Artemis!66E25D4C12FB
Cylance	Unsafe
TrendMicro-HouseCall	TROJ_GEN.R002H0CIP19
Rising	Heur.Macro.Downloader.a (CLASSIC)
Qihoo-360	Win32/Trojan.045

Libraries known to be associated with a CVE were requested (may be False Positive) (1 event)

cve	CVE-2013-3906

46911997163.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All