Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	July 9, 2021, 6:09 p.m.	July 9, 2021, 6:11 p.m.

Size	8.2KB
Type	HTML document, ASCII text, with very long lines, with CRLF line terminators
MD5	`71999a9d2f15e164c9b1fa926aa6444b`
SHA256	`da92436d2bbcdef52b11ace6e2e063e9971cefc074d194550bd425305c97cdd5`
CRC32	`054E9ECB`
ssdeep	`192:/arm5dHoAR5V98geGR4qUg3fjRORjkSRQvRIPLBaGxmBWzMIAlPoP8L7T:/audHjf98lRqTP9UgYCGNaGxmNDlo8L3`
Yara	None matched

iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\test22\AppData\Local\Temp\92375234.xml.html
2468
- iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2468 CREDAT:145409
  2576

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Allocates read-write-execute memory (usually to unpack itself) (50 out of 111 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory July 9, 2021, 6:09 p.m.	process_identifier: 2468 region_size: 6361088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002800000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 9, 2021, 6:09 p.m.	process_identifier: 2468 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002e10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 9, 2021, 6:09 p.m.	process_identifier: 2468 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000774f1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 9, 2021, 6:09 p.m.	process_identifier: 2468 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000774f1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 9, 2021, 6:09 p.m.	process_identifier: 2468 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000774f1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 9, 2021, 6:09 p.m.	process_identifier: 2468 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000774f1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 9, 2021, 6:09 p.m.	process_identifier: 2468 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000774f1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 9, 2021, 6:09 p.m.	process_identifier: 2468 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000774f1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 9, 2021, 6:09 p.m.	process_identifier: 2468 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007749d000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 9, 2021, 6:09 p.m.	process_identifier: 2468 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000774c2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 9, 2021, 6:09 p.m.	process_identifier: 2468 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000774a4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 9, 2021, 6:09 p.m.	process_identifier: 2468 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000774c2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 9, 2021, 6:09 p.m.	process_identifier: 2468 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefc4f5000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 9, 2021, 6:09 p.m.	process_identifier: 2468 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefc4f5000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 9, 2021, 6:09 p.m.	process_identifier: 2468 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefdfd4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 9, 2021, 6:09 p.m.	process_identifier: 2468 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefe811000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 9, 2021, 6:09 p.m.	process_identifier: 2468 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007748a000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 9, 2021, 6:09 p.m.	process_identifier: 2468 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002e70000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 9, 2021, 6:09 p.m.	process_identifier: 2468 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefa2c7000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 9, 2021, 6:09 p.m.	process_identifier: 2468 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef69f9000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 9, 2021, 6:09 p.m.	process_identifier: 2468 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002e10000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 9, 2021, 6:09 p.m.	process_identifier: 2468 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000774f1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 9, 2021, 6:09 p.m.	process_identifier: 2468 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000774f1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 9, 2021, 6:09 p.m.	process_identifier: 2468 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000774f1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 9, 2021, 6:09 p.m.	process_identifier: 2468 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000774f1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 9, 2021, 6:09 p.m.	process_identifier: 2468 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000774f1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 9, 2021, 6:09 p.m.	process_identifier: 2468 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000774f1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 9, 2021, 6:09 p.m.	process_identifier: 2468 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007749d000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 9, 2021, 6:09 p.m.	process_identifier: 2468 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000774c2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 9, 2021, 6:09 p.m.	process_identifier: 2468 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000774a4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 9, 2021, 6:09 p.m.	process_identifier: 2468 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000774c2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 9, 2021, 6:09 p.m.	process_identifier: 2468 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefc4f5000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 9, 2021, 6:09 p.m.	process_identifier: 2468 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefdfd4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 9, 2021, 6:09 p.m.	process_identifier: 2468 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefe811000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 9, 2021, 6:09 p.m.	process_identifier: 2468 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007748a000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 9, 2021, 6:09 p.m.	process_identifier: 2468 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000774c2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 9, 2021, 6:09 p.m.	process_identifier: 2468 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000774f1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 9, 2021, 6:09 p.m.	process_identifier: 2468 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000774f1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 9, 2021, 6:09 p.m.	process_identifier: 2468 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000774f1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 9, 2021, 6:09 p.m.	process_identifier: 2468 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000774f1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 9, 2021, 6:09 p.m.	process_identifier: 2468 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000774f1000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 9, 2021, 6:09 p.m.	process_identifier: 2576 region_size: 10031104 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002530000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 9, 2021, 6:09 p.m.	process_identifier: 2576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002ec0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 9, 2021, 6:09 p.m.	process_identifier: 2576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000774f1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 9, 2021, 6:09 p.m.	process_identifier: 2576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000774f1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 9, 2021, 6:09 p.m.	process_identifier: 2576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000774f1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 9, 2021, 6:09 p.m.	process_identifier: 2576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000774f1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 9, 2021, 6:09 p.m.	process_identifier: 2576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000774f1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 9, 2021, 6:09 p.m.	process_identifier: 2576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000774f1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 9, 2021, 6:09 p.m.	process_identifier: 2576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007749d000 process_handle: 0xffffffffffffffff	1

File has been identified by 2 AntiVirus engines on VirusTotal as malicious (2 events)

Symantec	ISB.Downloader!gen80
NANO-Antivirus	Trojan.Script.Heuristic-js.iacgm

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory July 9, 2021, 6:09 p.m.	process_identifier: 2576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x000007fffff80000 process_handle: 0xffffffffffffffff	1	0	0

Yara rule detected in process memory (8 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Uses Windows utilities for basic Windows functionality (1 event)

cmdline

"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2468 CREDAT:145409

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2468 resumed a thread in remote process 2576
NtResumeThread July 9, 2021, 6:09 p.m.	thread_handle: 0x0000000000000360 suspend_count: 1 process_identifier: 2576	1	0	0

92375234.xml.html

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All