Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Oct. 23, 2021, 9:40 a.m.	Oct. 23, 2021, 9:44 a.m.

Size	238.3KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5	`8efc94a68d078ed67459403c868aa9f0`
SHA256	`511f5c0a9946188ad3dbbb58c2e2e5564402d83dd77379a39c8a17c660a737da`
CRC32	`0A12A5E3`
ssdeep	`6144:wBlL/cbnggLr08960+6EV1PEb5rHfSRUGA4C:CeRP8RZMbBHfadA7`
Yara	PE_Header_Zero - PE File Signature IsPE32 - (no description) Malicious_Library_Zero - Malicious_Library UPX_Zero - UPX packed file NSIS_Installer - Null Soft Installer

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

No Suricata Alerts

No Suricata TLS

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Oct. 23, 2021, 9:40 a.m.	computer_name: TEST22-PC	1	1	0

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Oct. 23, 2021, 9:40 a.m.		1	1	0

section

.ndata

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Oct. 23, 2021, 9:40 a.m.	process_identifier: 2268 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73e8c000 process_handle: 0xffffffff	1	0	0

file	C:\Users\test22\AppData\Local\Temp\nsdAF8.tmp\edjaxef.dll

file	C:\Users\test22\AppData\Local\Temp\nsdAF8.tmp\edjaxef.dll

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Oct. 23, 2021, 9:40 a.m.	process_identifier: 2484 region_size: 110592 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x001f0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000224	1	0	0

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2268 created a remote thread in non-child process 2484
CreateRemoteThread Oct. 23, 2021, 9:40 a.m.	thread_identifier: 0 process_identifier: 2484 function_address: 0x001f8178 flags: 4 stack_size: 0 parameter: 0x00000000 process_handle: 0x00000224	1	556	0

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2268 manipulating memory of non-child process 2484
NtAllocateVirtualMemory Oct. 23, 2021, 9:40 a.m.	process_identifier: 2484 region_size: 110592 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x001f0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000224	1	0	0

Elastic	malicious (high confidence)
MicroWorld-eScan	Zum.Androm.1
FireEye	Generic.mg.8efc94a68d078ed6
Cylance	Unsafe
Sangfor	Trojan.Win32.Save.a
Cybereason	malicious.68d078
Arcabit	Zum.Androm.1
Symantec	ML.Attribute.HighConfidence
APEX	Malicious
Kaspersky	UDS:Trojan.Win32.Inject.gen
BitDefender	Zum.Androm.1
Emsisoft	Zum.Androm.1 (B)
McAfee-GW-Edition	BehavesLike.Win32.Vopak.dc
Sophos	Generic ML PUA (PUA)
Ikarus	Trojan.NSIS.Agent
Avira	TR/ATRAPS.Gen2
Microsoft	Trojan:Win32/Sabsik.FL.B!ml
GData	Zum.Androm.1
Cynet	Malicious (score: 100)
McAfee	Artemis!8EFC94A68D07
MAX	malware (ai score=86)
SentinelOne	Static AI - Malicious PE
Fortinet	W32/Injector.EQGK!tr
BitDefenderTheta	Gen:NN.ZedlaF.34236.du4@aKmPulai

vbc.exe