Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	April 29, 2021, 10:19 p.m.	April 29, 2021, 10:28 p.m.

Size	325.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5	`509ddf0357ba0d4a11f09629e068f9f1`
SHA256	`2b1beabbc3435f85fedce9d5ad8be0e6f76aac02b56cb8243de63df48536c1c7`
CRC32	`92A08416`
ssdeep	`6144:KNp0iJvK3ugqesNXmakDFVHN+/EwoWoxSUYsJoO4aMDnXrk+:c0iJvKe1esNXmxr4T9oFKVaMDXI+`
Yara	PE_Header_Zero - PE File Signature IsPE32 - (no description)

download.blog "C:\Users\test22\AppData\Local\Temp\download.blog"
2444

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx April 29, 2021, 10:19 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.ndata

Allocates read-write-execute memory (usually to unpack itself) (15 events)

Time & API	Arguments	Status
NtProtectVirtualMemory April 29, 2021, 10:19 p.m.	process_identifier: 2444 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73721000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 29, 2021, 10:19 p.m.	process_identifier: 2444 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74e51000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 29, 2021, 10:19 p.m.	process_identifier: 2444 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10005000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 29, 2021, 10:19 p.m.	process_identifier: 2444 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10005000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 29, 2021, 10:19 p.m.	process_identifier: 2444 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10002000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 29, 2021, 10:19 p.m.	process_identifier: 2444 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72761000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 29, 2021, 10:19 p.m.	process_identifier: 2444 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x726d1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 29, 2021, 10:19 p.m.	process_identifier: 2444 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10002000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 29, 2021, 10:19 p.m.	process_identifier: 2444 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72641000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 29, 2021, 10:19 p.m.	process_identifier: 2444 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x727f1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 29, 2021, 10:19 p.m.	process_identifier: 2444 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72801000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 29, 2021, 10:19 p.m.	process_identifier: 2444 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72721000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 29, 2021, 10:19 p.m.	process_identifier: 2444 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x726e4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 29, 2021, 10:19 p.m.	process_identifier: 2444 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72722000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 29, 2021, 10:19 p.m.	process_identifier: 2444 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x756a1000 process_handle: 0xffffffff	1

Creates executable files on the filesystem (3 events)

file	C:\Users\test22\AppData\Local\Temp\nsl6386.tmp\KillProcDLL.dll
file	C:\Users\test22\AppData\Local\Temp\nsl6386.tmp\InstallOptions.dll
file	C:\Users\test22\AppData\Local\Temp\nsl6386.tmp\DLLWaitForKillProgram.dll

Drops an executable to the user AppData folder (3 events)

file	C:\Users\test22\AppData\Local\Temp\nsl6386.tmp\InstallOptions.dll
file	C:\Users\test22\AppData\Local\Temp\nsl6386.tmp\KillProcDLL.dll
file	C:\Users\test22\AppData\Local\Temp\nsl6386.tmp\DLLWaitForKillProgram.dll

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (39 events)

Time & API	Arguments	Status	Return
Process32FirstW April 29, 2021, 10:19 p.m.	snapshot_handle: 0x00000220 process_name: [System Process] process_identifier: 0	1	1
Process32NextW April 29, 2021, 10:19 p.m.	snapshot_handle: 0x00000220 process_name: System process_identifier: 4	1	1
Process32NextW April 29, 2021, 10:19 p.m.	snapshot_handle: 0x00000220 process_name: smss.exe process_identifier: 224	1	1
Process32NextW April 29, 2021, 10:19 p.m.	snapshot_handle: 0x00000220 process_name: csrss.exe process_identifier: 300	1	1
Process32NextW April 29, 2021, 10:19 p.m.	snapshot_handle: 0x00000220 process_name: wininit.exe process_identifier: 348	1	1
Process32NextW April 29, 2021, 10:19 p.m.	snapshot_handle: 0x00000220 process_name: csrss.exe process_identifier: 364	1	1
Process32NextW April 29, 2021, 10:19 p.m.	snapshot_handle: 0x00000220 process_name: winlogon.exe process_identifier: 396	1	1
Process32NextW April 29, 2021, 10:19 p.m.	snapshot_handle: 0x00000220 process_name: services.exe process_identifier: 440	1	1
Process32NextW April 29, 2021, 10:19 p.m.	snapshot_handle: 0x00000220 process_name: lsass.exe process_identifier: 456	1	1
Process32NextW April 29, 2021, 10:19 p.m.	snapshot_handle: 0x00000220 process_name: lsm.exe process_identifier: 464	1	1
Process32NextW April 29, 2021, 10:19 p.m.	snapshot_handle: 0x00000220 process_name: svchost.exe process_identifier: 568	1	1
Process32NextW April 29, 2021, 10:19 p.m.	snapshot_handle: 0x00000220 process_name: svchost.exe process_identifier: 640	1	1
Process32NextW April 29, 2021, 10:19 p.m.	snapshot_handle: 0x00000220 process_name: svchost.exe process_identifier: 700	1	1
Process32NextW April 29, 2021, 10:19 p.m.	snapshot_handle: 0x00000220 process_name: svchost.exe process_identifier: 776	1	1
Process32NextW April 29, 2021, 10:19 p.m.	snapshot_handle: 0x00000220 process_name: svchost.exe process_identifier: 824	1	1
Process32NextW April 29, 2021, 10:19 p.m.	snapshot_handle: 0x00000220 process_name: audiodg.exe process_identifier: 892	1	1
Process32NextW April 29, 2021, 10:19 p.m.	snapshot_handle: 0x00000220 process_name: svchost.exe process_identifier: 968	1	1
Process32NextW April 29, 2021, 10:19 p.m.	snapshot_handle: 0x00000220 process_name: svchost.exe process_identifier: 264	1	1
Process32NextW April 29, 2021, 10:19 p.m.	snapshot_handle: 0x00000220 process_name: spoolsv.exe process_identifier: 820	1	1
Process32NextW April 29, 2021, 10:19 p.m.	snapshot_handle: 0x00000220 process_name: svchost.exe process_identifier: 292	1	1
Process32NextW April 29, 2021, 10:19 p.m.	snapshot_handle: 0x00000220 process_name: svchost.exe process_identifier: 1192	1	1
Process32NextW April 29, 2021, 10:19 p.m.	snapshot_handle: 0x00000220 process_name: srvany.exe process_identifier: 1244	1	1
Process32NextW April 29, 2021, 10:19 p.m.	snapshot_handle: 0x00000220 process_name: taskhost.exe process_identifier: 1284	1	1
Process32NextW April 29, 2021, 10:19 p.m.	snapshot_handle: 0x00000220 process_name: KMService.exe process_identifier: 1324	1	1
Process32NextW April 29, 2021, 10:19 p.m.	snapshot_handle: 0x00000220 process_name: conhost.exe process_identifier: 1376	1	1
Process32NextW April 29, 2021, 10:19 p.m.	snapshot_handle: 0x00000220 process_name: sppsvc.exe process_identifier: 1800	1	1
Process32NextW April 29, 2021, 10:19 p.m.	snapshot_handle: 0x00000220 process_name: svchost.exe process_identifier: 1876	1	1
Process32NextW April 29, 2021, 10:19 p.m.	snapshot_handle: 0x00000220 process_name: dwm.exe process_identifier: 1496	1	1
Process32NextW April 29, 2021, 10:19 p.m.	snapshot_handle: 0x00000220 process_name: explorer.exe process_identifier: 1848	1	1
Process32NextW April 29, 2021, 10:19 p.m.	snapshot_handle: 0x00000220 process_name: WmiPrvSE.exe process_identifier: 1916	1	1
Process32NextW April 29, 2021, 10:19 p.m.	snapshot_handle: 0x00000220 process_name: pw.exe process_identifier: 2816	1	1
Process32NextW April 29, 2021, 10:19 p.m.	snapshot_handle: 0x00000220 process_name: SearchIndexer.exe process_identifier: 2940	1	1
Process32NextW April 29, 2021, 10:19 p.m.	snapshot_handle: 0x00000220 process_name: SearchProtocolHost.exe process_identifier: 1480	1	1
Process32NextW April 29, 2021, 10:19 p.m.	snapshot_handle: 0x00000220 process_name: SearchFilterHost.exe process_identifier: 3040	1	1
Process32NextW April 29, 2021, 10:19 p.m.	snapshot_handle: 0x00000220 process_name: SearchProtocolHost.exe process_identifier: 2120	1	1
Process32NextW April 29, 2021, 10:19 p.m.	snapshot_handle: 0x00000220 process_name: mobsync.exe process_identifier: 1068	1	1
Process32NextW April 29, 2021, 10:19 p.m.	snapshot_handle: 0x00000220 process_name: pw.exe process_identifier: 3060	1	1
Process32NextW April 29, 2021, 10:19 p.m.	snapshot_handle: 0x00000220 process_name: taskhost.exe process_identifier: 2764	1	1
Process32NextW April 29, 2021, 10:19 p.m.	snapshot_handle: 0x00000220 process_name: download.blog process_identifier: 2444	1	1

File has been identified by 41 AntiVirus engines on VirusTotal as malicious (41 events)

MicroWorld-eScan	Trojan.Generic.6638542
McAfee	Artemis!509DDF0357BA
Cylance	Unsafe
Sangfor	Trojan.Win32.Danginex.mt
Alibaba	TrojanDropper:Win32/Dapato.b4740519
Arcabit	Trojan.Generic.D654BCE
Symantec	ML.Attribute.HighConfidence
APEX	Malicious
Kaspersky	Trojan-Dropper.Win32.Dapato.qdfx
BitDefender	Trojan.Generic.6638542
NANO-Antivirus	Trojan.Win32.Agent.nqoln
Avast	Win32:Trojan-gen
Tencent	Win32.Trojan-Downloader.Agent.bent
Emsisoft	Trojan.Generic.6638542 (B)
Comodo	TrojWare.Win32.TrojanDownloader.Agent.~HHH@1mspdv
F-Secure	Trojan.TR/Dldr.Agent.swno
DrWeb	Trojan.DownLoad3.17989
VIPRE	Trojan.Win32.Generic!BT
TrendMicro	TROJ_GEN.R002C0OL420
McAfee-GW-Edition	Artemis!Trojan
FireEye	Trojan.Generic.6638542
Sophos	Mal/Generic-S
Ikarus	Trojan-Downloader.Win32.FraudLoad
Jiangmin	TrojanDownloader.Agent.dzab
Avira	TR/Dldr.Agent.swno
Kingsoft	Win32.TrojDownloader.Agent.sw.(kcloud)
Microsoft	Trojan:Win32/Danginex
AegisLab	Trojan.Win32.Generic.4!c
ZoneAlarm	HEUR:Trojan-Dropper.Win32.Dapato.gen
GData	Trojan.Generic.6638542
Cynet	Malicious (score: 99)
ALYac	Trojan.Generic.6638542
MAX	malware (ai score=81)
VBA32	BScope.TrojanDownloader.Agent
Rising	Trojan.Danginex!8.318 (CLOUD)
Yandex	Trojan.DL.Agent!oJm0XABHGwQ
Fortinet	W32/Agent.SWNO!tr.dldr
BitDefenderTheta	Gen:NN.ZexaF.34684.xq0@aGcRP3nG
AVG	Win32:Trojan-gen
Cybereason	malicious.357ba0
Panda	Trj/CI.A

download.blog

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All