Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Aug. 15, 2021, 12:33 p.m.	Aug. 15, 2021, 12:44 p.m.

Size	73.5KB
Type	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, UPX compressed
MD5	`b3edf0682d10790927ec8cdf5f1f187e`
SHA256	`cb8e4b7147126e223411909a0134294d16cf20a8a3068136a55420b6fbe78084`
CRC32	`5D4BD2E5`
ssdeep	`1536:d7YVuIJuEDjROozZ5Na0aEDvg5wwxeQC2VOFUOr679069+GSi98nouy8Y:ddExzxa/Evg6wEQC5mO2JN9XSi2outY`
Yara	PE_Header_Zero - PE File Signature IsDLL - (no description) IsPE32 - (no description)

rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\wj1.png.dll,Init
1016
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\wj1.png.dll,Jmp
1756
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\wj1.png.dll,UnInit
2084
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\wj1.png.dll,
3028

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Aug. 15, 2021, 12:33 p.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (3 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Aug. 15, 2021, 12:33 p.m.			0	0
IsDebuggerPresent Aug. 15, 2021, 12:33 p.m.			0	0
IsDebuggerPresent Aug. 15, 2021, 12:33 p.m.			0	0

One or more processes crashed (3 events)

Time & API	Arguments	Status
__exception__ Aug. 15, 2021, 12:33 p.m.	stacktrace: Jmp-0x4ec6 wj1+0x145c @ 0x1000145c Init+0x19 UnInit-0x6 wj1+0x635a @ 0x1000635a rundll32+0x1326 @ 0xd61326 rundll32+0x1901 @ 0xd61901 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.esp: 1112992 registers.edi: 3097616 registers.eax: 0 registers.ebp: 1113040 registers.edx: 2653656 registers.ebx: 0 registers.esi: 3097576 registers.ecx: 2721376	1
__exception__ Aug. 15, 2021, 12:33 p.m.	stacktrace: Jmp+0x19 Init-0x6 wj1+0x633b @ 0x1000633b rundll32+0x1326 @ 0xd61326 rundll32+0x1901 @ 0xd61901 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x90262 registers.esp: 1047472 registers.edi: 1047572 registers.eax: 590434 registers.ebp: 1047520 registers.edx: 9 registers.ebx: 0 registers.esi: 1047632 registers.ecx: 0	1
__exception__ Aug. 15, 2021, 12:33 p.m.	stacktrace: Jmp-0x9 wj1+0x6319 @ 0x10006319 UnInit+0x8 wj1+0x6368 @ 0x10006368 rundll32+0x1326 @ 0xd61326 rundll32+0x1901 @ 0xd61901 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.esp: 2488352 registers.edi: 0 registers.eax: 0 registers.ebp: 2488400 registers.edx: 127 registers.ebx: 0 registers.esi: 655932 registers.ecx: 258606665	1

Time & API

Arguments

Status

Return

Repeated

__exception__

Aug. 15, 2021, 12:33 p.m.

stacktrace:

Jmp-0x4ec6 wj1+0x145c @ 0x1000145c
Init+0x19 UnInit-0x6 wj1+0x635a @ 0x1000635a
rundll32+0x1326 @ 0xd61326
rundll32+0x1901 @ 0xd61901
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5

exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0x0
registers.esp: 1112992
registers.edi: 3097616
registers.eax: 0
registers.ebp: 1113040
registers.edx: 2653656
registers.ebx: 0
registers.esi: 3097576
registers.ecx: 2721376

__exception__

Aug. 15, 2021, 12:33 p.m.

stacktrace:

Jmp+0x19 Init-0x6 wj1+0x633b @ 0x1000633b
rundll32+0x1326 @ 0xd61326
rundll32+0x1901 @ 0xd61901
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5

exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0x90262
registers.esp: 1047472
registers.edi: 1047572
registers.eax: 590434
registers.ebp: 1047520
registers.edx: 9
registers.ebx: 0
registers.esi: 1047632
registers.ecx: 0

__exception__

Aug. 15, 2021, 12:33 p.m.

stacktrace:

Jmp-0x9 wj1+0x6319 @ 0x10006319
UnInit+0x8 wj1+0x6368 @ 0x10006368
rundll32+0x1326 @ 0xd61326
rundll32+0x1901 @ 0xd61901
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5

exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0x0
registers.esp: 2488352
registers.edi: 0
registers.eax: 0
registers.ebp: 2488400
registers.edx: 127
registers.ebx: 0
registers.esi: 655932
registers.ecx: 258606665

Allocates read-write-execute memory (usually to unpack itself) (30 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Aug. 15, 2021, 12:33 p.m.	process_identifier: 1016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73d21000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 15, 2021, 12:33 p.m.	process_identifier: 1016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73d01000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 15, 2021, 12:33 p.m.	process_identifier: 1016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75111000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 15, 2021, 12:33 p.m.	process_identifier: 1016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75241000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 15, 2021, 12:33 p.m.	process_identifier: 1016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74f41000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 15, 2021, 12:33 p.m.	process_identifier: 1016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73c90000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 15, 2021, 12:33 p.m.	process_identifier: 1016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73701000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 15, 2021, 12:33 p.m.	process_identifier: 1016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72b94000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 15, 2021, 12:33 p.m.	process_identifier: 1016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73702000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 15, 2021, 12:33 p.m.	process_identifier: 1016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73c61000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 15, 2021, 12:33 p.m.	process_identifier: 1756 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73d21000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 15, 2021, 12:33 p.m.	process_identifier: 1756 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73d01000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 15, 2021, 12:33 p.m.	process_identifier: 1756 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75111000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 15, 2021, 12:33 p.m.	process_identifier: 1756 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75241000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 15, 2021, 12:33 p.m.	process_identifier: 1756 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74f41000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 15, 2021, 12:33 p.m.	process_identifier: 1756 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73c90000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 15, 2021, 12:33 p.m.	process_identifier: 1756 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73701000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 15, 2021, 12:33 p.m.	process_identifier: 1756 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72b94000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 15, 2021, 12:33 p.m.	process_identifier: 1756 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73702000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 15, 2021, 12:33 p.m.	process_identifier: 1756 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73c61000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 15, 2021, 12:33 p.m.	process_identifier: 2084 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73d21000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 15, 2021, 12:33 p.m.	process_identifier: 2084 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73d01000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 15, 2021, 12:33 p.m.	process_identifier: 2084 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75111000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 15, 2021, 12:33 p.m.	process_identifier: 2084 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75241000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 15, 2021, 12:33 p.m.	process_identifier: 2084 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74f41000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 15, 2021, 12:33 p.m.	process_identifier: 2084 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73c90000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 15, 2021, 12:33 p.m.	process_identifier: 2084 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73701000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 15, 2021, 12:33 p.m.	process_identifier: 2084 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72b94000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 15, 2021, 12:33 p.m.	process_identifier: 2084 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73702000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 15, 2021, 12:33 p.m.	process_identifier: 2084 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73c61000 process_handle: 0xffffffff	1

Foreign language identified in PE resource (1 event)

name

RT_VERSION

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0004f058

size

0x00000258

Executes one or more WMI queries (1 event)

wmi	Select Producttype From Win32_OperatingSystem

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00011a00', u'virtual_address': u'0x0003c000', u'entropy': 7.987503653034055, u'name': u'UPX1', u'virtual_size': u'0x00012000'}

entropy

7.98750365303

description

A section with a high entropy has been found

entropy

0.972413793103

description

Overall entropy of this PE file is high

The executable is compressed using UPX (3 events)

section	UPX0	description	Section name indicates UPX
section	UPX1	description	Section name indicates UPX
section	UPX2	description	Section name indicates UPX

File has been identified by 28 AntiVirus engines on VirusTotal as malicious (28 events)

Elastic	malicious (high confidence)
McAfee	RDN/Generic.dx
CrowdStrike	win/malicious_confidence_70% (W)
K7GW	Adware ( 00506e8d1 )
K7AntiVirus	Adware ( 00506e8d1 )
Cyren	W32/Trojan.FJFH-7405
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/Packed.BlackMoon.A potentially unwanted
APEX	Malicious
Paloalto	generic.ml
Cynet	Malicious (score: 100)
ViRobot	Adware.Presenoker.75264.A
Avast	Win32:Malware-gen
McAfee-GW-Edition	BehavesLike.Win32.Dropper.lc
FireEye	Generic.mg.b3edf0682d107909
Sophos	Generic PUA PC (PUA)
SentinelOne	Static AI - Suspicious PE
GData	Win32.Trojan.Agent.I6FKD5
Jiangmin	Trojan.Generic.debyj
Gridinsoft	Trojan.Win32.Packed.oa
Microsoft	Program:Win32/Wacapew.C!ml
AhnLab-V3	Malware/Win.Malware-gen.C4559874
Cylance	Unsafe
TrendMicro-HouseCall	TROJ_GEN.R023H06G521
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	Riskware/Blackmoon
BitDefenderTheta	Gen:NN.ZedlaF.34058.eqSfa04jtDdb
AVG	Win32:Malware-gen

wj1.png

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All