Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Sept. 29, 2021, 10:57 a.m.	Sept. 29, 2021, 10:59 a.m.

Size	2.4MB
Type	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Dec 11 11:47:44 2009, Code page: 1252, Revision Number: {CA02AD20-933F-4C57-8023-2EF485D496D4}, Number of Words: 10, Subject: Installer, Author: Installer, Name of Creating Application: Installer 64247, Template: ;1033, Title: Installation Database, Keywords: Installer, MSI, Database, Security: 0, Number of Pages: 200
MD5	`2d6ba1a2c184dccac37e3c8b10083989`
SHA256	`049c648f0d8eba9a540f9a4210853c9d093fbf5ef8851597842e28e4e1dc9f6e`
CRC32	`EC044E91`
ssdeep	`49152:Jh/QO/b+wQu+o3SaN3gYyrWITPJTOYKEA:bd/b+FuTGYylpOY9A`
Yara	Malicious_Packer_Zero - Malicious Packer Win32_Trojan_Gen_2_0904B0_Zero - Win32 Trojan Gen OS_Processor_Check_Zero - OS Processor Check Malicious_Library_Zero - Malicious_Library Microsoft_Office_File_Zero - Microsoft Office File

msiexec.exe "C:\Windows\System32\msiexec.exe" /I C:\Users\test22\AppData\Local\Temp\Document-753GF01.msi
2504
explorer.exe C:\Windows\Explorer.EXE
1924

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (3 events)

Time & API	Arguments	Status	Return
GetComputerNameW Sept. 29, 2021, 10:57 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Sept. 29, 2021, 10:57 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 29, 2021, 10:57 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Sept. 29, 2021, 10:57 a.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Sept. 29, 2021, 10:57 a.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (13 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Sept. 29, 2021, 10:57 a.m.	process_identifier: 2504 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73aa1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 29, 2021, 10:57 a.m.	process_identifier: 2504 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73a81000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 29, 2021, 10:57 a.m.	process_identifier: 2504 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x738f1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 29, 2021, 10:57 a.m.	process_identifier: 2504 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73101000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 29, 2021, 10:57 a.m.	process_identifier: 2504 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x738d1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 29, 2021, 10:57 a.m.	process_identifier: 2504 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x738c1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 29, 2021, 10:57 a.m.	process_identifier: 2504 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x738a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 29, 2021, 10:57 a.m.	process_identifier: 2504 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x730b1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 29, 2021, 10:57 a.m.	process_identifier: 2504 region_size: 262144 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x031a0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 29, 2021, 10:57 a.m.	process_identifier: 2504 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x031a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 29, 2021, 10:57 a.m.	process_identifier: 2504 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x730a2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 29, 2021, 10:57 a.m.	process_identifier: 2504 region_size: 1048576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03b80000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 29, 2021, 10:57 a.m.	process_identifier: 2504 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03c40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (2 events)

Time & API	Arguments	Status	Return	Repeated
GetDiskFreeSpaceExW Sept. 29, 2021, 10:57 a.m.	total_number_of_free_bytes: 10237661184 free_bytes_available: 10237661184 root_path: C:\ total_number_of_bytes: 34252779520	1	1	0
GetDiskFreeSpaceW Sept. 29, 2021, 10:57 a.m.	number_of_free_clusters: 2499429 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (16 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW Sept. 29, 2021, 10:57 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW Sept. 29, 2021, 10:57 a.m.	system_name: privilege_name: SeCreateTokenPrivilege	1	1
LookupPrivilegeValueW Sept. 29, 2021, 10:57 a.m.	system_name: privilege_name: SeAssignPrimaryTokenPrivilege	1	1
LookupPrivilegeValueW Sept. 29, 2021, 10:57 a.m.	system_name: privilege_name: SeMachineAccountPrivilege	1	1
LookupPrivilegeValueW Sept. 29, 2021, 10:57 a.m.	system_name: privilege_name: SeTcbPrivilege	1	1
LookupPrivilegeValueW Sept. 29, 2021, 10:57 a.m.	system_name: privilege_name: SeSecurityPrivilege	1	1
LookupPrivilegeValueW Sept. 29, 2021, 10:57 a.m.	system_name: privilege_name: SeTakeOwnershipPrivilege	1	1
LookupPrivilegeValueW Sept. 29, 2021, 10:57 a.m.	system_name: privilege_name: SeLoadDriverPrivilege	1	1
LookupPrivilegeValueW Sept. 29, 2021, 10:57 a.m.	system_name: privilege_name: SeBackupPrivilege	1	1
LookupPrivilegeValueW Sept. 29, 2021, 10:57 a.m.	system_name: privilege_name: SeRestorePrivilege	1	1
LookupPrivilegeValueW Sept. 29, 2021, 10:57 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW Sept. 29, 2021, 10:57 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Sept. 29, 2021, 10:57 a.m.	system_name: privilege_name: SeRemoteShutdownPrivilege	1	1
LookupPrivilegeValueW Sept. 29, 2021, 10:57 a.m.	system_name: privilege_name: SeEnableDelegationPrivilege	1	1
LookupPrivilegeValueW Sept. 29, 2021, 10:57 a.m.	system_name: privilege_name: SeManageVolumePrivilege	1	1
LookupPrivilegeValueW Sept. 29, 2021, 10:57 a.m.	system_name: privilege_name: SeCreateGlobalPrivilege	1	1

File has been identified by 22 AntiVirus engines on VirusTotal as malicious (22 events)

Lionic	Trojan.Win32.Bulz.4!c
ClamAV	Win.Downloader.Zusy-9884239-0
ALYac	Gen:Variant.Bulz.667805
Arcabit	Trojan.Bulz.DA309D
Cyren	MSI/Banload.P
ESET-NOD32	a variant of Win32/TrojanDownloader.Banload.YQS
TrendMicro-HouseCall	TROJ_GEN.R002H0CIS21
Kaspersky	UDS:Backdoor.Multi.GenericML.xnet
BitDefender	Gen:Variant.Zusy.402261
MicroWorld-eScan	Gen:Variant.Zusy.402261
F-Secure	Heuristic.HEUR/AGEN.1143862
FireEye	Gen:Variant.Zusy.402261
Emsisoft	Gen:Variant.Bulz.769458 (B)
Microsoft	Trojan:Win32/Sabsik.FL.B!ml
GData	Gen:Variant.Zusy.402261
AhnLab-V3	Trojan/Win.Generic.C4634343
McAfee	Artemis!A0AC7E39BD66
MAX	malware (ai score=84)
VBA32	BScope.Trojan.Click
Zoner	Trojan.DOC.81465
Tencent	Win32.Trojan.Bulz.Htct
Fortinet	W32/Banload.YQS!tr.dldr

Document-753GF01.msi

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All