popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

intel.exe

Malicious Library PE32 PE File
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 Oct. 5, 2021, 5:46 p.m. Oct. 5, 2021, 5:56 p.m.
Size 149.5KB
Type PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
MD5 47c116db3f0e5d536352aaecbbc7d6b6
SHA256 bd5f19d54c0d5de713d609653e64116e07af8037a322f803850c9cb1e6a03c90
CRC32 3CDA34DC
ssdeep 3072:Y1HXx5/ddPgS99gzAMuAwUJJRD5jw2YBc7ipa+P/5y+mgZiTnBz/n2:85/DgfnuANJRDK2Y7/5y+VsZ/
Yara
  • PE_Header_Zero - PE File Signature
  • IsPE32 - (no description)
  • Malicious_Library_Zero - Malicious_Library

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
103.140.207.110 Active Moloch
164.124.101.2 Active Moloch
27.50.163.123 Active Moloch
194.190.18.122 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.101:49206 -> 103.140.207.110:443 2404300 ET CNC Feodo Tracker Reported CnC Server group 1 A Network Trojan was detected

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
section .rmnet
Time & API Arguments Status Return Repeated

__exception__

 stacktrace: 
CheckElevationEnabled+0x4a7 BaseGenerateAppCompatData-0x152 kernel32+0x23605 @ 0x75743605
CheckElevationEnabled+0x2a3 BaseGenerateAppCompatData-0x356 kernel32+0x23401 @ 0x75743401
CheckElevationEnabled+0x190 BaseGenerateAppCompatData-0x469 kernel32+0x232ee @ 0x757432ee
CreateProcessInternalW+0xc65 BasepFreeAppCompatData-0x4d9 kernel32+0x24858 @ 0x75744858
New_kernel32_CreateProcessInternalW@48+0x185 New_kernel32_CreateRemoteThread@28-0x16b @ 0x73cb7747
CreateProcessInternalA+0x123 SetConsoleMode-0x1a3 kernel32+0x2a5da @ 0x7574a5da
CreateProcessA+0x2c Sleep-0x61 kernel32+0x1109e @ 0x7573109e
desktoplayer+0x13c0 @ 0x4013c0
desktoplayer+0x2cda @ 0x402cda
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5

exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xfd053d52
registers.esp: 1634936
registers.edi: 1635572
registers.eax: 1635008
registers.ebp: 1634968
registers.edx: 83
registers.ebx: 1636324
registers.esi: 2000420356
registers.ecx: 894457887
1 0 0
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2260
region_size: 61440
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003b0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2260
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 188416
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2260
region_size: 28672
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003c0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2260
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 24576
protection: 3758096448 (PAGE_EXECUTE_READWRITE)
base_address: 0x0040c000
process_handle: 0xffffffff
3221225541 0

NtProtectVirtualMemory

 process_identifier: 2260
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 3221225536 (PAGE_EXECUTE_READWRITE)
base_address: 0x00412000
process_handle: 0xffffffff
3221225541 0

NtProtectVirtualMemory

 process_identifier: 2260
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2244
region_size: 61440
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00710000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2244
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 188416
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2244
region_size: 28672
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00720000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2244
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 24576
protection: 3758096448 (PAGE_EXECUTE_READWRITE)
base_address: 0x0040c000
process_handle: 0xffffffff
3221225541 0

NtProtectVirtualMemory

 process_identifier: 2244
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 3221225536 (PAGE_EXECUTE_READWRITE)
base_address: 0x00412000
process_handle: 0xffffffff
3221225541 0

NtProtectVirtualMemory

 process_identifier: 2244
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2244
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x773bf000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2244
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00750000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0
file C:\Users\test22\AppData\Local\Temp\intelSrv.exe
file C:\Users\test22\AppData\Local\Temp\intelSrv.exe
Time & API Arguments Status Return Repeated

Process32FirstW

 snapshot_handle: 0x000000a8
process_name: [System Process]
process_identifier: 0
1 1 0

Process32NextW

 snapshot_handle: 0x000000a8
process_name: System
process_identifier: 4
1 1 0

Process32NextW

 snapshot_handle: 0x000000a8
process_name: smss.exe
process_identifier: 224
1 1 0

Process32NextW

 snapshot_handle: 0x000000a8
process_name: csrss.exe
process_identifier: 300
1 1 0

Process32NextW

 snapshot_handle: 0x000000a8
process_name: wininit.exe
process_identifier: 348
1 1 0

Process32NextW

 snapshot_handle: 0x000000a8
process_name: csrss.exe
process_identifier: 364
1 1 0

Process32NextW

 snapshot_handle: 0x000000a8
process_name: winlogon.exe
process_identifier: 396
1 1 0

Process32NextW

 snapshot_handle: 0x000000a8
process_name: services.exe
process_identifier: 440
1 1 0

Process32NextW

 snapshot_handle: 0x000000a8
process_name: lsass.exe
process_identifier: 456
1 1 0

Process32NextW

 snapshot_handle: 0x000000a8
process_name: lsm.exe
process_identifier: 464
1 1 0

Process32NextW

 snapshot_handle: 0x000000a8
process_name: svchost.exe
process_identifier: 568
1 1 0

Process32NextW

 snapshot_handle: 0x000000a8
process_name: svchost.exe
process_identifier: 640
1 1 0

Process32NextW

 snapshot_handle: 0x000000a8
process_name: svchost.exe
process_identifier: 700
1 1 0

Process32NextW

 snapshot_handle: 0x000000a8
process_name: svchost.exe
process_identifier: 776
1 1 0

Process32NextW

 snapshot_handle: 0x000000a8
process_name: svchost.exe
process_identifier: 824
1 1 0

Process32NextW

 snapshot_handle: 0x000000a8
process_name: audiodg.exe
process_identifier: 892
1 1 0

Process32NextW

 snapshot_handle: 0x000000a8
process_name: svchost.exe
process_identifier: 968
1 1 0

Process32NextW

 snapshot_handle: 0x000000a8
process_name: svchost.exe
process_identifier: 264
1 1 0

Process32NextW

 snapshot_handle: 0x000000a8
process_name: spoolsv.exe
process_identifier: 820
1 1 0

Process32NextW

 snapshot_handle: 0x000000a8
process_name: svchost.exe
process_identifier: 292
1 1 0

Process32NextW

 snapshot_handle: 0x000000a8
process_name: svchost.exe
process_identifier: 1192
1 1 0

Process32NextW

 snapshot_handle: 0x000000a8
process_name: srvany.exe
process_identifier: 1244
1 1 0

Process32NextW

 snapshot_handle: 0x000000a8
process_name: taskhost.exe
process_identifier: 1284
1 1 0

Process32NextW

 snapshot_handle: 0x000000a8
process_name: KMService.exe
process_identifier: 1324
1 1 0

Process32NextW

 snapshot_handle: 0x000000a8
process_name: conhost.exe
process_identifier: 1376
1 1 0

Process32NextW

 snapshot_handle: 0x000000a8
process_name: sppsvc.exe
process_identifier: 1800
1 1 0

Process32NextW

 snapshot_handle: 0x000000a8
process_name: svchost.exe
process_identifier: 1876
1 1 0

Process32NextW

 snapshot_handle: 0x000000a8
process_name: dwm.exe
process_identifier: 1496
1 1 0

Process32NextW

 snapshot_handle: 0x000000a8
process_name: explorer.exe
process_identifier: 1848
1 1 0

Process32NextW

 snapshot_handle: 0x000000a8
process_name: WmiPrvSE.exe
process_identifier: 1916
1 1 0

Process32NextW

 snapshot_handle: 0x000000a8
process_name: pw.exe
process_identifier: 2816
1 1 0

Process32NextW

 snapshot_handle: 0x000000a8
process_name: SearchIndexer.exe
process_identifier: 2940
1 1 0

Process32NextW

 snapshot_handle: 0x000000a8
process_name: SearchProtocolHost.exe
process_identifier: 1480
1 1 0

Process32NextW

 snapshot_handle: 0x000000a8
process_name: SearchFilterHost.exe
process_identifier: 3040
1 1 0

Process32NextW

 snapshot_handle: 0x000000a8
process_name: SearchProtocolHost.exe
process_identifier: 2120
1 1 0

Process32NextW

 snapshot_handle: 0x000000a8
process_name: mobsync.exe
process_identifier: 2492
1 1 0

Process32NextW

 snapshot_handle: 0x000000a8
process_name: pw.exe
process_identifier: 604
1 1 0

Process32NextW

 snapshot_handle: 0x000000a8
process_name: taskhost.exe
process_identifier: 752
1 1 0

Process32NextW

 snapshot_handle: 0x000000a8
process_name: intel.exe
process_identifier: 2212
1 1 0

Process32NextW

 snapshot_handle: 0x000000a8
process_name: DesktopLayer.exe
process_identifier: 2244
1 1 0

Process32NextW

 snapshot_handle: 0x000000a8
process_name: DesktopLayer.exe
process_identifier: 7602224
0 0

Process32NextW

 snapshot_handle: 0x000001a4
process_name: DesktopLayer.exe
process_identifier: 7536688
0 0

Process32NextW

 snapshot_handle: 0x000001b0
process_name: DesktopLayer.exe
process_identifier: 3014768
0 0

Process32NextW

 snapshot_handle: 0x000001b4
process_name: DesktopLayer.exe
process_identifier: 7274573
0 0

Process32NextW

 snapshot_handle: 0x000001b8
process_name: DesktopLayer.exe
process_identifier: 5046390
0 0

Process32NextW

 snapshot_handle: 0x000001bc
process_name: DesktopLayer.exe
process_identifier: 6815859
0 0

Process32NextW

 snapshot_handle: 0x000001c0
process_name: DesktopLayer.exe
process_identifier: 6881397
0 0

Process32NextW

 snapshot_handle: 0x000001c4
process_name: DesktopLayer.exe
process_identifier: 7602277
0 0

Process32NextW

 snapshot_handle: 0x000001c8
process_name: DesktopLayer.exe
process_identifier: 6619235
0 0

Process32NextW

 snapshot_handle: 0x000001cc
process_name: DesktopLayer.exe
process_identifier: 4456552
0 0
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2212
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 20480
protection: 32 (PAGE_EXECUTE_READ)
base_address: 0x10001000
process_handle: 0xffffffff
1 0 0
section {u'size_of_data': u'0x00016e00', u'virtual_address': u'0x0000f000', u'entropy': 7.848920795730073, u'name': u'UPX1', u'virtual_size': u'0x00017000'} entropy 7.84892079573 description A section with a high entropy has been found
section {u'size_of_data': u'0x0000e200', u'virtual_address': u'0x00027000', u'entropy': 7.965839669425273, u'name': u'.rmnet', u'virtual_size': u'0x0000f000'} entropy 7.96583966943 description A section with a high entropy has been found
entropy 0.996632996633 description Overall entropy of this PE file is high
Time & API Arguments Status Return Repeated

Process32NextW

 snapshot_handle: 0x000000a8
process_name: DesktopLayer.exe
process_identifier: 7602224
0 0

Process32NextW

 snapshot_handle: 0x000001a4
process_name: DesktopLayer.exe
process_identifier: 7536688
0 0

Process32NextW

 snapshot_handle: 0x000001b0
process_name: DesktopLayer.exe
process_identifier: 3014768
0 0

Process32NextW

 snapshot_handle: 0x000001b4
process_name: DesktopLayer.exe
process_identifier: 7274573
0 0

Process32NextW

 snapshot_handle: 0x000001b8
process_name: DesktopLayer.exe
process_identifier: 5046390
0 0

Process32NextW

 snapshot_handle: 0x000001bc
process_name: DesktopLayer.exe
process_identifier: 6815859
0 0

Process32NextW

 snapshot_handle: 0x000001c0
process_name: DesktopLayer.exe
process_identifier: 6881397
0 0

Process32NextW

 snapshot_handle: 0x000001c4
process_name: DesktopLayer.exe
process_identifier: 7602277
0 0

Process32NextW

 snapshot_handle: 0x000001c8
process_name: DesktopLayer.exe
process_identifier: 6619235
0 0

Process32NextW

 snapshot_handle: 0x000001cc
process_name: DesktopLayer.exe
process_identifier: 4456552
0 0

Process32NextW

 snapshot_handle: 0x000001d0
process_name: DesktopLayer.exe
process_identifier: 7536758
0 0

Process32NextW

 snapshot_handle: 0x000001d4
process_name: DesktopLayer.exe
process_identifier: 6684769
0 0

Process32NextW

 snapshot_handle: 0x000001d8
process_name: DesktopLayer.exe
process_identifier: 4390992
0 0

Process32NextW

 snapshot_handle: 0x000001dc
process_name:
process_identifier: 5439572
0 0

Process32NextW

 snapshot_handle: 0x000001e0
process_name: DesktopLayer.exe
process_identifier: 6619182
0 0

Process32NextW

 snapshot_handle: 0x000001e4
process_name: DesktopLayer.exe
process_identifier: 6553715
0 0

Process32NextW

 snapshot_handle: 0x000001e8
process_name: DesktopLayer.exe
process_identifier: 5046338
0 0

Process32NextW

 snapshot_handle: 0x000001ec
process_name: DesktopLayer.exe
process_identifier: 6619246
0 0

Process32NextW

 snapshot_handle: 0x000001f0
process_name: DesktopLayer.exe
process_identifier: 6750273
0 0

Process32NextW

 snapshot_handle: 0x000001f4
process_name: DesktopLayer.exe
process_identifier: 7471220
0 0

Process32NextW

 snapshot_handle: 0x000001f8
process_name: DesktopLayer.exe
process_identifier: 7733331
0 0

Process32NextW

 snapshot_handle: 0x000001fc
process_name: DesktopLayer.exe
process_identifier: 4980808
0 0

Process32NextW

 snapshot_handle: 0x00000200
process_name: DesktopLayer.exe
process_identifier: 6619251
0 0

Process32NextW

 snapshot_handle: 0x00000204
process_name: DesktopLayer.exe
process_identifier: 7864421
0 0

Process32NextW

 snapshot_handle: 0x00000208
process_name: DesktopLayer.exe
process_identifier: 3342387
0 0

Process32NextW

 snapshot_handle: 0x0000020c
process_name: DesktopLayer.exe
process_identifier: 3014722
0 0

Process32NextW

 snapshot_handle: 0x00000210
process_name:
process_identifier: 7733362
0 0

Process32NextW

 snapshot_handle: 0x00000214
process_name: DesktopLayer.exe
process_identifier: 6553705
0 0
section UPX0 description Section name indicates UPX
section UPX1 description Section name indicates UPX
section UPX2 description Section name indicates UPX
host 103.140.207.110
host 27.50.163.123
host 194.190.18.122
mutex KyUffThOkYwRRtgPP
Bkav W32.RammitNNA.PE
Lionic Virus.Win32.Nimnul.tn4U
Elastic malicious (high confidence)
Cynet Malicious (score: 100)
CAT-QuickHeal W32.Ramnit.A
McAfee W32/Ramnit.q
Cylance Unsafe
Zillya Virus.Nimnul.Win32.1
Sangfor Virus.Win32.Ramnit.a
CrowdStrike win/malicious_confidence_100% (W)
K7GW Trojan ( 004bcce41 )
K7AntiVirus Trojan ( 004bcce41 )
Arcabit Win32.Ramnit
Baidu Win32.Virus.Nimnul.a
Cyren W32/Ramnit.B!Generic
Symantec W32.Ramnit!inf
ESET-NOD32 Win32/Ramnit.A
APEX Malicious
Paloalto generic.ml
ClamAV Win.Trojan.Ramnit-1847
Kaspersky Virus.Win32.Nimnul.a
BitDefender Win32.Ramnit
NANO-Antivirus Virus.Win32.Ramnit.eslalb
ViRobot Win32.Ramnit.E
MicroWorld-eScan Win32.Ramnit
Avast Win32:RmnDrp [Inf]
Rising Virus.Ramnit!1.9AA5 (CLASSIC)
Ad-Aware Win32.Ramnit
Sophos ML/PE-A + W32/Patched-I
Comodo Packed.Win32.MUPX.Gen@24tbus
DrWeb Win32.Rmnet
VIPRE Virus.Win32.Ramnit.a (v)
TrendMicro PE_RAMNIT.H
McAfee-GW-Edition BehavesLike.Win32.Ramnit.cc
FireEye Generic.mg.47c116db3f0e5d53
Emsisoft Win32.Ramnit (B)
SentinelOne Static AI - Malicious PE
Jiangmin Win32/PatchFile.et
Avira W32/Ramnit.CD
Antiy-AVL Trojan/Generic.ASVirus.1EB
Kingsoft Win32.Infected.Ramnit.sr.(kcloud)
Gridinsoft Malware.Win32.Gen.bot!se59456
Microsoft Virus:Win32/Ramnit.A
GData Win32.Virus.Ramnit.C
TACHYON Virus/W32.Ramnit.B
AhnLab-V3 Win32/Ramnit.B
Acronis suspicious
VBA32 Virus.Win32.Nimnul.a
ALYac Win32.Ramnit
MAX malware (ai score=80)