popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

wvieedr.exe

UPX Malicious Library AntiDebug PE File OS Processor Check PE32 AntiVM
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6403_us Aug. 13, 2021, 8:01 p.m. Aug. 13, 2021, 8:03 p.m.
Size 319.5KB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 06a029882deabf229f62728afe3baf4f
SHA256 f24a559e79ba3121c7e0fed4ac995da056fe6a0dac71b2360f9e340b97117d05
CRC32 A49E7C14
ssdeep 6144:NaBzncNI4Z6pFBJIJZ0xe0cgFVmAS60bwzINf3gf481PJ/ZUt/b3tuV1:0cr0HXIJZ0xeKVmAS60bwSf4JGt/kP
PDB Path C:\nasuxitoti\wanuketas\yal\yabovu fapetuxo\lekagokese\heguna.pdb
Yara
  • OS_Processor_Check_Zero - OS Processor Check
  • UPX_Zero - UPX packed file
  • Malicious_Library_Zero - Malicious_Library
  • PE_Header_Zero - PE File Signature
  • IsPE32 - (no description)

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0
pdb_path C:\nasuxitoti\wanuketas\yal\yabovu fapetuxo\lekagokese\heguna.pdb
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 1616
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 69632
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00303000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1616
region_size: 40960
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00990000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0
name RT_ICON language LANG_CHINESE filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_CHINESE_SINGAPORE offset 0x004fe158 size 0x00000468
name RT_ICON language LANG_CHINESE filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_CHINESE_SINGAPORE offset 0x004fe158 size 0x00000468
name RT_ICON language LANG_CHINESE filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_CHINESE_SINGAPORE offset 0x004fe158 size 0x00000468
name RT_ICON language LANG_CHINESE filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_CHINESE_SINGAPORE offset 0x004fe158 size 0x00000468
name RT_ICON language LANG_CHINESE filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_CHINESE_SINGAPORE offset 0x004fe158 size 0x00000468
name RT_ICON language LANG_CHINESE filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_CHINESE_SINGAPORE offset 0x004fe158 size 0x00000468
name RT_GROUP_ICON language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SINGAPORE offset 0x004fe5c0 size 0x0000005a
section {u'size_of_data': u'0x00011400', u'virtual_address': u'0x00036000', u'entropy': 7.727024402592798, u'name': u'.data', u'virtual_size': u'0x004c4fa8'} entropy 7.72702440259 description A section with a high entropy has been found
entropy 0.216640502355 description Overall entropy of this PE file is high
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Bypass DEP rule disable_dep
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2704
region_size: 36864
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000080
1 0 0
Time & API Arguments Status Return Repeated

LdrGetDllHandle

 module_name: snxhk
module_address: 0x00000000
stack_pivoted: 0
3221225781 0

LdrGetDllHandle

 module_name: snxhk
module_address: 0x00000000
stack_pivoted: 0
3221225781 0
Time & API Arguments Status Return Repeated

WriteProcessMemory

 buffer: @
base_address: 0x7efde008
process_identifier: 2704
process_handle: 0x00000080
1 1 0
Process injection Process 1616 called NtSetContextThread to modify thread in remote process 2704
Time & API Arguments Status Return Repeated

NtSetContextThread

 registers.eip: 2002059716
registers.esp: 1638384
registers.edi: 0
registers.eax: 4206106
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x0000007c
process_identifier: 2704
1 0 0
Process injection Process 1616 resumed a thread in remote process 2704
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x0000007c
suspend_count: 1
process_identifier: 2704
1 0 0
Time & API Arguments Status Return Repeated

CreateProcessInternalW

 thread_identifier: 2116
thread_handle: 0x0000007c
process_identifier: 2704
current_directory:
filepath: C:\Users\test22\AppData\Local\Temp\wvieedr.exe
track: 1
command_line: "C:\Users\test22\AppData\Local\Temp\wvieedr.exe"
filepath_r: C:\Users\test22\AppData\Local\Temp\wvieedr.exe
stack_pivoted: 0
creation_flags: 134217732 (CREATE_NO_WINDOW|CREATE_SUSPENDED)
inherit_handles: 0
process_handle: 0x00000080
1 1 0

NtGetContextThread

 thread_handle: 0x0000007c
1 0 0

NtUnmapViewOfSection

 base_address: 0x00400000
region_size: 4096
process_identifier: 2704
process_handle: 0x00000080
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2704
region_size: 36864
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000080
1 0 0

WriteProcessMemory

 buffer: @
base_address: 0x7efde008
process_identifier: 2704
process_handle: 0x00000080
1 1 0

NtSetContextThread

 registers.eip: 2002059716
registers.esp: 1638384
registers.edi: 0
registers.eax: 4206106
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x0000007c
process_identifier: 2704
1 0 0

NtResumeThread

 thread_handle: 0x0000007c
suspend_count: 1
process_identifier: 2704
1 0 0
Bkav W32.AIDetect.malware2
Lionic Trojan.Win32.Generic.4!c
Elastic malicious (high confidence)
MicroWorld-eScan Trojan.GenericKD.46781890
Qihoo-360 Win32/Heur.Generic.HwoCOQcA
ALYac Trojan.SmokeLoader
Cylance Unsafe
Sangfor Trojan.Win32.Save.a
K7GW Trojan ( 00580df61 )
CrowdStrike win/malicious_confidence_100% (W)
Symantec ML.Attribute.HighConfidence
ESET-NOD32 a variant of Win32/GenKryptik.FIWW
APEX Malicious
Paloalto generic.ml
ClamAV Win.Dropper.Raccoon-9885550-0
Kaspersky HEUR:Trojan.Win32.Chapak.gen
BitDefender Trojan.GenericKD.46781890
Avast Win32:Trojan-gen
Ad-Aware Trojan.GenericKD.46781890
Emsisoft Trojan.GenericKD.46781890 (B)
DrWeb Trojan.Siggen14.60125
McAfee-GW-Edition BehavesLike.Win32.Trojan.fh
FireEye Generic.mg.06a029882deabf22
Sophos Mal/Generic-R
Ikarus Win32.Outbreak
GData Win32.Trojan-Downloader.SmokeLoader.FOMP91
Kingsoft Win32.Troj.Undef.(kcloud)
ZoneAlarm HEUR:Trojan.Win32.Chapak.gen
Microsoft Trojan:Win32/Sabsik.FL.B!ml
Cynet Malicious (score: 100)
AhnLab-V3 Malware/Win.Generic.C4589841
Acronis suspicious
McAfee Packed-GDT!06A029882DEA
MAX malware (ai score=84)
VBA32 Trojan.Win32.Azorult.a
Rising Malware.Obscure/Heur!1.A89F (CLASSIC)
SentinelOne Static AI - Suspicious PE
eGambit Unsafe.AI_Score_95%
Fortinet W32/Wacatac.DF!tr
BitDefenderTheta Gen:NN.ZexaF.34058.tuW@a8TLpfoH
AVG Win32:Trojan-gen
MaxSecure Trojan.Malware.300983.susgen