Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	July 31, 2021, 1:31 p.m.	July 31, 2021, 1:36 p.m.

Size	1.3MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`036bee46548f543c263666d864125a60`
SHA256	`2ea8a6e52838153831b064c6c9a797705e3acc60cfe34bdb237cbd8a360cc73b`
CRC32	`514BF5D5`
ssdeep	`24576:ZBi1ZPMnPUr5e4hty7lBljBBDNGfbyRHlwLeILT8n0i2vFYBgwT6d9LZzyCvxH:S1ZEnPUr53ty7l3jBB0jyZlwPLsr2GB8`
Yara	IsPE32 - (no description) Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature

WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Office15\WINWORD.EXE" C:\Users\test22\AppData\Local\Temp\lv.exe
1440

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.ndata

Allocates read-write-execute memory (usually to unpack itself) (6 events)

Time & API	Arguments	Status
NtProtectVirtualMemory July 31, 2021, 1:31 p.m.	process_identifier: 1440 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6ac72000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 31, 2021, 1:31 p.m.	process_identifier: 1440 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6ac5b000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 31, 2021, 1:31 p.m.	process_identifier: 1440 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6ac56000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 31, 2021, 1:31 p.m.	process_identifier: 1440 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6ac3b000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 31, 2021, 1:31 p.m.	process_identifier: 1440 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6ac47000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 31, 2021, 1:31 p.m.	process_identifier: 1440 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6ac2b000 process_handle: 0xffffffff	1

Creates (office) documents on the filesystem (2 events)

file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRD0001.doc
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRD0000.doc

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\~$lv.exe

Creates hidden or system file (1 event)

Time & API	Arguments	Status	Return	Repeated
NtCreateFile July 31, 2021, 1:31 p.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x0000048c filepath: C:\Users\test22\AppData\Local\Temp\~$lv.exe desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\AppData\Local\Temp\~$lv.exe create_options: 4194400 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 2 (FILE_CREATED) share_access: 0 ()	1	0	0

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory July 31, 2021, 1:31 p.m.	process_identifier: 1440 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x7ef80000 process_handle: 0xffffffff	1	0	0

The process winword.exe wrote an executable file to disk (2 events)

file	C:\Users\test22\AppData\Local\Temp\lv.exe
file	C:\Users\test22\AppData\Local\Temp\~$lv.exe

File has been identified by 56 AntiVirus engines on VirusTotal as malicious (50 out of 56 events)

Lionic	Trojan.Win32.Crypzip.4!c
Elastic	malicious (high confidence)
DrWeb	Trojan.MulDrop17.64590
MicroWorld-eScan	Trojan.GenericKD.37236726
FireEye	Trojan.GenericKD.37236726
CAT-QuickHeal	Trojan.Crypzip
ALYac	Trojan.GenericKD.37236726
Cylance	Unsafe
Zillya	Backdoor.Agent.Win32.79796
Sangfor	Trojan.Win32.Save.a
CrowdStrike	win/malicious_confidence_100% (W)
Alibaba	Trojan:Win32/Crypzip.a3b9a1a2
K7GW	Trojan ( 0054c4a01 )
K7AntiVirus	Trojan ( 0054c4a01 )
BitDefenderTheta	Gen:NN.ZexaE.34050.nr3@aCQvdHok
Cyren	W32/Trojan.TEFC-1790
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	multiple detections
APEX	Malicious
Paloalto	generic.ml
ClamAV	Win.Packed.Filerepmalware-9864117-0
Kaspersky	Trojan.Win32.Crypzip.tp
BitDefender	Trojan.GenericKD.37236726
NANO-Antivirus	Trojan.Win32.Racealer.ixpapu
SUPERAntiSpyware	Trojan.Agent/Gen-Crypzip
Avast	Win32:Malware-gen
Rising	Trojan.HiddenRun/SFX!1.D57B (CLASSIC)
Ad-Aware	Trojan.GenericKD.37236726
Sophos	Mal/Generic-S
Comodo	Malware@#2mq839n8cl9ck
VIPRE	Trojan.Win32.Generic!BT
TrendMicro	TROJ_GEN.R067C0DGC21
McAfee-GW-Edition	BehavesLike.Win32.GenDownloader.tc
Emsisoft	Trojan.Crypt (A)
SentinelOne	Static AI - Suspicious PE
Avira	HEUR/AGEN.1140896
MAX	malware (ai score=87)
Antiy-AVL	Trojan/Generic.ASMalwS.34122F4
Kingsoft	Win32.PSWTroj.Undef.(kcloud)
Microsoft	Trojan:Win32/Azorult.OI!MTB
Gridinsoft	Trojan.Win32.Banker.oa
Arcabit	Trojan.Generic.D2382FF6
ViRobot	Trojan.Win32.Z.Agent.1414678
GData	Win32.Trojan.BSE.HLJWVB
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win.Agent.C4544191
McAfee	Artemis!036BEE46548F
VBA32	TrojanPSW.Coins
Malwarebytes	Malware.AI.4024116118
TrendMicro-HouseCall	TROJ_GEN.R067C0DGC21

lv.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All