Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Oct. 8, 2021, 11:17 a.m.	Oct. 8, 2021, 12:03 p.m.

Size	554.4KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5	`e13c7ba670a1ceb573c5d297b888df6c`
SHA256	`60bdba6fc20036919b398083a3d70f044c68295fac92973b8994eda040493198`
CRC32	`A53D24EE`
ssdeep	`6144:F8LxBsWb2JjUKAa4aMDWin0soH1nHdgJbt9PzTeNZgJyGP2FkTrJSRTb61DJB+n+:/WoPz4aYnOH1ESGP2FkJY6DQceqgdG7v`
Yara	PE_Header_Zero - PE File Signature IsPE32 - (no description) Malicious_Library_Zero - Malicious_Library NSIS_Installer - Null Soft Installer

new.exe "C:\Users\test22\AppData\Local\Temp\new.exe"
1196
- new.exe "C:\Users\test22\AppData\Local\Temp\new.exe"
  1080

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

No Suricata Alerts

No Suricata TLS

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Oct. 8, 2021, 11:17 a.m.	computer_name: TEST22-PC	1	1	0

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Oct. 8, 2021, 11:17 a.m.		1	1	0

section

.ndata

Time & API	Arguments	Status	Return	Repeated
__exception__ Oct. 8, 2021, 11:17 a.m.	stacktrace: EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf rtcDoEvents+0x131 __vbaError-0x626 msvbvm60+0xce228 @ 0x72a0e228 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008f exception.offset: 46887 exception.address: 0x7566b727 registers.esp: 1636360 registers.edi: 2890512 registers.eax: 1636360 registers.ebp: 1636440 registers.edx: 0 registers.ebx: 2890512 registers.esi: 2890512 registers.ecx: 2	1	0	0

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Oct. 8, 2021, 11:17 a.m.	process_identifier: 1196 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73542000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory Oct. 8, 2021, 11:17 a.m.	process_identifier: 1080 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f82000 process_handle: 0xffffffff	1	0	0

file	C:\Users\test22\AppData\Local\Temp\nso7C1F.tmp\yxxnsseergx.dll

file	C:\Users\test22\AppData\Local\Temp\nso7C1F.tmp\yxxnsseergx.dll

wmi	Select * from Win32_ComputerSystem

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Oct. 8, 2021, 11:17 a.m.	process_identifier: 1080 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 24576 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x01ca0000 process_handle: 0xffffffff	1	0	0

wmi	Select * from Win32_ComputerSystem

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Oct. 8, 2021, 11:17 a.m.	process_identifier: 1080 region_size: 487424 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000240	1	0	0

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1196 called NtSetContextThread to modify thread in remote process 1080
NtSetContextThread Oct. 8, 2021, 11:17 a.m.	registers.eip: 2007957956 registers.esp: 1638384 registers.edi: 0 registers.eax: 4203924 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000023c process_identifier: 1080	1	0	0

Time & API	Arguments	Status	Return
CreateProcessInternalW Oct. 8, 2021, 11:17 a.m.	thread_identifier: 2880 thread_handle: 0x0000023c process_identifier: 1080 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\new.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\new.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\new.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000240	1	1
NtGetContextThread Oct. 8, 2021, 11:17 a.m.	thread_handle: 0x0000023c	1	0
NtAllocateVirtualMemory Oct. 8, 2021, 11:17 a.m.	process_identifier: 1080 region_size: 487424 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000240	1	0
NtSetContextThread Oct. 8, 2021, 11:17 a.m.	registers.eip: 2007957956 registers.esp: 1638384 registers.edi: 0 registers.eax: 4203924 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000023c process_identifier: 1080	1	0

Bkav	W32.AIDetect.malware2
Lionic	Trojan.Win32.Inject.4!c
DrWeb	Trojan.Siggen15.18408
MicroWorld-eScan	Trojan.Generic.30351669
McAfee	Artemis!E13C7BA670A1
Cylance	Unsafe
Sangfor	Trojan.Win32.Save.a
K7GW	Trojan ( 005888ef1 )
K7AntiVirus	Trojan ( 005888ef1 )
Cyren	W32/Injector.AMJ.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/Injector.EQFT
APEX	Malicious
Paloalto	generic.ml
Kaspersky	HEUR:Trojan.Win32.Inject.gen
BitDefender	Trojan.Generic.30351669
Avast	Win32:PWSX-gen [Trj]
Ad-Aware	Trojan.Generic.30351669
Emsisoft	Trojan.Generic.30351669 (B)
McAfee-GW-Edition	BehavesLike.Win32.Vopak.hc
FireEye	Generic.mg.e13c7ba670a1ceb5
Sophos	Mal/Generic-S
SentinelOne	Static AI - Malicious PE
MAX	malware (ai score=86)
Kingsoft	Win32.Troj.Undef.(kcloud)
Microsoft	Trojan:Win32/Lokibot.DECC!MTB
GData	Trojan.Generic.30351669
Cynet	Malicious (score: 100)
Malwarebytes	Trojan.Injector
TrendMicro-HouseCall	TROJ_GEN.R002C0DJ721
Rising	Trojan.Generic@ML.84 (RDML:MYOBw2otCTYhty0svjvR9w)
Ikarus	Trojan.NSIS.Agent
Fortinet	W32/Injector.EQFJ!tr
Webroot	W32.Trojan.NSISX.Spy.Gen
AVG	Win32:PWSX-gen [Trj]
Cybereason	malicious.670a1c

new.exe