Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	July 2, 2021, 3:08 p.m.	July 2, 2021, 3:11 p.m.

Size	847.7KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5	`586d6732d8c8d4045b05276f2a0cbf53`
SHA256	`ad534790700a9daa5fda6452692590e5e8c86d6a86aec0110822d0b54a6c21d9`
CRC32	`CD119732`
ssdeep	`24576:NmSo/l/4X2EM3GdNsFiKZqzYvqi/NmZrRV/tJ:NcaXNM2PBKZAsAZrRVVJ`
Yara	PE_Header_Zero - PE File Signature IsPE32 - (no description)

포트폴리오_210628(경력사항도 같이 기재하였습니다 잘 부탁드립니다).exe "C:\Users\test22\AppData\Local\Temp\포트폴리오_210628(경력사항도 같이 기재하였습니다 잘 부탁드립니다).exe"
2648

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx July 2, 2021, 3:08 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.ndata

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ July 2, 2021, 3:09 p.m.	stacktrace: CtfImeIsIME+0x36fd DllUnregisterServer-0xf9d9 msctf+0x2d08c @ 0x766fd08c TF_GetGlobalCompartment+0x3dfd CtfImeIsIME-0x344 msctf+0x2964b @ 0x766f964b TF_GetInputScope+0xf65 CtfImeDestroyThreadMgr-0x25ae msctf+0x14d6b @ 0x766e4d6b TF_GetInputScope+0x3176 CtfImeDestroyThreadMgr-0x39d msctf+0x16f7c @ 0x766e6f7c CtfImeDestroyInputContext+0x280 TF_CanUninitialize-0x1c msctf+0x1e825 @ 0x766ee825 TF_GetInputScope+0x21fc CtfImeDestroyThreadMgr-0x1317 msctf+0x16002 @ 0x766e6002 TF_GetInputScope+0x21e2 CtfImeDestroyThreadMgr-0x1331 msctf+0x15fe8 @ 0x766e5fe8 TF_GetInputScope+0xbdd CtfImeDestroyThreadMgr-0x2936 msctf+0x149e3 @ 0x766e49e3 TF_GetInputScope+0x1c1a CtfImeDestroyThreadMgr-0x18f9 msctf+0x15a20 @ 0x766e5a20 RtlIsCurrentThreadAttachExempt+0x5f TpCheckTerminateWorker-0x37 ntdll+0x39a91 @ 0x773d9a91 LdrShutdownProcess+0x97 RtlDetectHeapLeaks-0x1bb ntdll+0x58f10 @ 0x773f8f10 RtlExitUserProcess+0x74 LdrShutdownProcess-0x1d ntdll+0x58e5c @ 0x773f8e5c ExitProcess+0x15 TerminateThread-0xa kernel32+0x17a25 @ 0x75737a25 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: ff 51 0c 8b 45 fc 89 be 8c 04 00 00 3b c7 74 25 exception.symbol: TF_GetCompatibleKeyboardLayout+0x5885 TF_IsCtfmonRunning-0xfd3 msctf+0x43ef4 exception.instruction: call dword ptr [ecx + 0xc] exception.module: MSCTF.dll exception.exception_code: 0xc0000005 exception.offset: 278260 exception.address: 0x76713ef4 registers.esp: 1637240 registers.edi: 0 registers.eax: 42371472 registers.ebp: 1637268 registers.edx: 1 registers.ebx: 0 registers.esi: 5853872 registers.ecx: 1920873948	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

July 2, 2021, 3:09 p.m.

stacktrace:

CtfImeIsIME+0x36fd DllUnregisterServer-0xf9d9 msctf+0x2d08c @ 0x766fd08c
TF_GetGlobalCompartment+0x3dfd CtfImeIsIME-0x344 msctf+0x2964b @ 0x766f964b
TF_GetInputScope+0xf65 CtfImeDestroyThreadMgr-0x25ae msctf+0x14d6b @ 0x766e4d6b
TF_GetInputScope+0x3176 CtfImeDestroyThreadMgr-0x39d msctf+0x16f7c @ 0x766e6f7c
CtfImeDestroyInputContext+0x280 TF_CanUninitialize-0x1c msctf+0x1e825 @ 0x766ee825
TF_GetInputScope+0x21fc CtfImeDestroyThreadMgr-0x1317 msctf+0x16002 @ 0x766e6002
TF_GetInputScope+0x21e2 CtfImeDestroyThreadMgr-0x1331 msctf+0x15fe8 @ 0x766e5fe8
TF_GetInputScope+0xbdd CtfImeDestroyThreadMgr-0x2936 msctf+0x149e3 @ 0x766e49e3
TF_GetInputScope+0x1c1a CtfImeDestroyThreadMgr-0x18f9 msctf+0x15a20 @ 0x766e5a20
RtlIsCurrentThreadAttachExempt+0x5f TpCheckTerminateWorker-0x37 ntdll+0x39a91 @ 0x773d9a91
LdrShutdownProcess+0x97 RtlDetectHeapLeaks-0x1bb ntdll+0x58f10 @ 0x773f8f10
RtlExitUserProcess+0x74 LdrShutdownProcess-0x1d ntdll+0x58e5c @ 0x773f8e5c
ExitProcess+0x15 TerminateThread-0xa kernel32+0x17a25 @ 0x75737a25
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5

exception.instruction_r: ff 51 0c 8b 45 fc 89 be 8c 04 00 00 3b c7 74 25
exception.symbol: TF_GetCompatibleKeyboardLayout+0x5885 TF_IsCtfmonRunning-0xfd3 msctf+0x43ef4
exception.instruction: call dword ptr [ecx + 0xc]
exception.module: MSCTF.dll
exception.exception_code: 0xc0000005
exception.offset: 278260
exception.address: 0x76713ef4
registers.esp: 1637240
registers.edi: 0
registers.eax: 42371472
registers.ebp: 1637268
registers.edx: 1
registers.ebx: 0
registers.esi: 5853872
registers.ecx: 1920873948

Allocates read-write-execute memory (usually to unpack itself) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory July 2, 2021, 3:08 p.m.	process_identifier: 2648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x729c2000 process_handle: 0xffffffff	1	0	0

File has been identified by 38 AntiVirus engines on VirusTotal as malicious (38 events)

Bkav	W32.AIDetect.malware1
Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.GenericKD.37164865
ALYac	Trojan.Ransom.Makop
Sangfor	Trojan.Win32.DelShad.gen
K7AntiVirus	Riskware ( 0040eff71 )
Alibaba	Trojan:Win32/DelShad.e5934532
K7GW	Riskware ( 0040eff71 )
Cybereason	malicious.170807
Arcabit	Trojan.Generic.D2371741
Symantec	Downloader
APEX	Malicious
Paloalto	generic.ml
Kaspersky	HEUR:Trojan-Ransom.Win32.Cryptor.gen
BitDefender	Trojan.GenericKD.37164865
Avast	Win32:NSISDropper-B [Drp]
Ad-Aware	Trojan.GenericKD.37164865
Emsisoft	Trojan.GenericKD.37164865 (B)
DrWeb	Trojan.Siggen14.19488
McAfee-GW-Edition	BehavesLike.Win32.AdwareAdload.cc
FireEye	Generic.mg.586d6732d8c8d404
Sophos	Mal/Generic-R + Troj/Ransom-GIF
Gridinsoft	Ransom.Win32.Wacatac.sa
AegisLab	Trojan.Win32.DelShad.4!c
ZoneAlarm	HEUR:Trojan-Ransom.Win32.Cryptor.gen
GData	Trojan.GenericKD.37164865
Cynet	Malicious (score: 100)
AhnLab-V3	Ransomware/Win.MakopRansom.C4537699
McAfee	RDN/Ransom
VBA32	Trojan.DelShad
Malwarebytes	Ransom.Oled
Rising	Trojan.Injector/NSIS!1.BFBB (CLASSIC)
Yandex	Trojan.Slntscn24.bVVB1s
Fortinet	NSIS/Injector.777B!tr.ransom
AVG	Win32:NSISDropper-B [Drp]
Panda	Trj/CI.A
CrowdStrike	win/malicious_confidence_90% (W)
Qihoo-360	Win32/TrojanDropper.Generic.HyoDQ8wA

포트폴리오_210628(경력사항도 같이 기재하였습니다 잘 부탁드립니다).exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All