Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	June 25, 2021, 6:16 p.m.	June 25, 2021, 6:18 p.m.

Size	272.0KB
Type	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, MSI Installer, Code page: 1252, Last Printed: Fri Sep 21 09:56:09 2012, Create Time/Date: Fri Sep 21 09:56:09 2012, Name of Creating Application: Windows Installer, Title: Exe to msi converter free, Author: www.exetomsi.com, Template: ;0, Last Saved By: devuser, Revision Number: {C35CF0AA-9B3F-4903-9F05-EBF606D58D3E}, Last Saved Time/Date: Tue May 21 11:56:44 2013, Number of Pages: 100, Number of Words: 0, Security: 0
MD5	`2220944d9985a6843374f41b835a9825`
SHA256	`3d5d3eb3853ff82697da75cf6da041f61f72e06d686010a02d52ebaa63ddca65`
CRC32	`59A584BB`
ssdeep	`6144:5EtTqjFaFtV9KoA68Atd/Tdle0U0gCKTkn9om07/6s2eD5HG:5E9fN26ZtLlDGCos9ofis2gH`
Yara	Microsoft_Office_File_Zero - Microsoft Office File

msiexec.exe "C:\Windows\System32\msiexec.exe" /I C:\Users\test22\AppData\Local\Temp\sai.msi
2288
explorer.exe C:\Windows\Explorer.EXE
1848

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
172.217.25.14	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (3 events)

Time & API	Arguments	Status	Return
GetComputerNameW June 25, 2021, 6:16 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA June 25, 2021, 6:16 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 25, 2021, 6:16 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent June 25, 2021, 6:16 p.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx June 25, 2021, 6:16 p.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (19 events)

Time & API	Arguments	Status
NtProtectVirtualMemory June 25, 2021, 6:16 p.m.	process_identifier: 2288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73ef1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 25, 2021, 6:16 p.m.	process_identifier: 2288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73db1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 25, 2021, 6:16 p.m.	process_identifier: 2288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73771000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 25, 2021, 6:16 p.m.	process_identifier: 2288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72da4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 25, 2021, 6:16 p.m.	process_identifier: 2288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73772000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 25, 2021, 6:16 p.m.	process_identifier: 2288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72821000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 25, 2021, 6:16 p.m.	process_identifier: 2288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73c91000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 25, 2021, 6:16 p.m.	process_identifier: 2288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74111000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 25, 2021, 6:16 p.m.	process_identifier: 2288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x66a91000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 25, 2021, 6:16 p.m.	process_identifier: 2288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x738a1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 6:16 p.m.	process_identifier: 2288 region_size: 1441792 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03a70000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 6:16 p.m.	process_identifier: 2288 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03b90000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory June 25, 2021, 6:16 p.m.	process_identifier: 2288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73892000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 6:16 p.m.	process_identifier: 2288 region_size: 720896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x039a0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 6:16 p.m.	process_identifier: 2288 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03a10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory June 25, 2021, 6:09 p.m.	process_identifier: 1848 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000770d6000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 25, 2021, 6:09 p.m.	process_identifier: 1848 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000770d9000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 25, 2021, 6:09 p.m.	process_identifier: 1848 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000770d3000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 25, 2021, 6:09 p.m.	process_identifier: 1848 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000770d8000 process_handle: 0xffffffffffffffff	1

A process attempted to delay the analysis task. (1 event)

description

explorer.exe tried to sleep 172 seconds, actually delayed analysis time by 172 seconds

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (2 events)

Time & API	Arguments	Status	Return	Repeated
GetDiskFreeSpaceExW June 25, 2021, 6:16 p.m.	total_number_of_free_bytes: 13297098752 free_bytes_available: 13297098752 root_path: C:\ total_number_of_bytes: 34252779520	1	1	0
GetDiskFreeSpaceW June 25, 2021, 6:16 p.m.	number_of_free_clusters: 3246362 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (16 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW June 25, 2021, 6:16 p.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW June 25, 2021, 6:16 p.m.	system_name: privilege_name: SeCreateTokenPrivilege	1	1
LookupPrivilegeValueW June 25, 2021, 6:16 p.m.	system_name: privilege_name: SeAssignPrimaryTokenPrivilege	1	1
LookupPrivilegeValueW June 25, 2021, 6:16 p.m.	system_name: privilege_name: SeMachineAccountPrivilege	1	1
LookupPrivilegeValueW June 25, 2021, 6:16 p.m.	system_name: privilege_name: SeTcbPrivilege	1	1
LookupPrivilegeValueW June 25, 2021, 6:16 p.m.	system_name: privilege_name: SeSecurityPrivilege	1	1
LookupPrivilegeValueW June 25, 2021, 6:16 p.m.	system_name: privilege_name: SeTakeOwnershipPrivilege	1	1
LookupPrivilegeValueW June 25, 2021, 6:16 p.m.	system_name: privilege_name: SeLoadDriverPrivilege	1	1
LookupPrivilegeValueW June 25, 2021, 6:16 p.m.	system_name: privilege_name: SeBackupPrivilege	1	1
LookupPrivilegeValueW June 25, 2021, 6:16 p.m.	system_name: privilege_name: SeRestorePrivilege	1	1
LookupPrivilegeValueW June 25, 2021, 6:16 p.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW June 25, 2021, 6:16 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW June 25, 2021, 6:16 p.m.	system_name: privilege_name: SeRemoteShutdownPrivilege	1	1
LookupPrivilegeValueW June 25, 2021, 6:16 p.m.	system_name: privilege_name: SeEnableDelegationPrivilege	1	1
LookupPrivilegeValueW June 25, 2021, 6:16 p.m.	system_name: privilege_name: SeManageVolumePrivilege	1	1
LookupPrivilegeValueW June 25, 2021, 6:16 p.m.	system_name: privilege_name: SeCreateGlobalPrivilege	1	1

Communicates with host for which no DNS query was performed (1 event)

host

172.217.25.14

Manipulates memory of a non-child process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1848 manipulating memory of non-child process 8780
NtAllocateVirtualMemory June 25, 2021, 6:09 p.m.	process_identifier: 8780 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 4 (PAGE_READWRITE) base_address: 0x00000000000b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0x0000000000002b10	1	0	0

File has been identified by 26 AntiVirus engines on VirusTotal as malicious (26 events)

ALYac	Trojan.GenericKD.37144575
Sangfor	Infostealer.MSIL.Agensla.gen
Cyren	W32/Ninjector.J.gen!Camelot
Symantec	Trojan.Gen.2
ESET-NOD32	NSIS/Injector.AMY
TrendMicro-HouseCall	TROJ_GEN.R002H0DFO21
Avast	Win32:Malware-gen
Cynet	Malicious (score: 99)
Kaspersky	HEUR:Trojan-PSW.Win32.Agensla.gen
BitDefender	Trojan.GenericKD.37144575
Rising	Trojan.Injector/NSIS!1.D784 (CLASSIC)
Sophos	Mal/Generic-S
DrWeb	Trojan.Loader.847
McAfee-GW-Edition	Artemis!Trojan
FireEye	Trojan.GenericKD.37144575
Emsisoft	Trojan.Agent (A)
Avira	TR/Injector.ivwpn
Gridinsoft	Trojan.Win32.Agent.dd!n
Microsoft	Trojan:Win32/SpyNoon.SS!MTB
AegisLab	Trojan.MSIL.Agensla.i!c
GData	Generic.Trojan.Agent.UD5G6Q
McAfee	RDN/Generic PWS.y
MAX	malware (ai score=81)
MaxSecure	Trojan.Malware.121218.susgen
Fortinet	W32/Kryptik.J!tr
AVG	Win32:Malware-gen

sai.msi

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All