popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

rundll32.exe

NSIS Malicious Library UPX PE File DLL OS Processor Check PE32
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 Nov. 3, 2021, 9:25 a.m. Nov. 3, 2021, 9:38 a.m.
Size 284.1KB
Type PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5 0362c14d2b1389973027a71faa08d013
SHA256 5e39768c8fd6bb7644322000828b9bd1c34d25c3be1a9a712761ba834910fcf0
CRC32 39A658D6
ssdeep 6144:wBlL/c36rQHyHr43WNdO1QE1DDWLW9+MexU3q16FYyms4FjK/BM:Ce3JjmNdOfWiEM13q1kYhFUBM
Yara
  • PE_Header_Zero - PE File Signature
  • IsPE32 - (no description)
  • Malicious_Library_Zero - Malicious_Library
  • UPX_Zero - UPX packed file
  • NSIS_Installer - Null Soft Installer

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
section .ndata
suspicious_features GET method with no useragent header suspicious_request GET http://www.workerscompfl1.com/yrcy/?Q2J=v7uhzqxdVE4SqOwlUNUHJhsYFShuFcyud5s4FQa9exy1ydsUebHf3DsshfGZM9gXbmjgSaig&3f_XA=hpZXWrzxUPfpU460
suspicious_features GET method with no useragent header suspicious_request GET http://www.cletechsolutions.com/yrcy/?Q2J=6oj+cRAbTTzt/2NBJRHF0KzLhmFT0afQnvz1X6yVwGfVu9zh+SVYbLRsBqi/up4gZGLNczfN&3f_XA=hpZXWrzxUPfpU460
suspicious_features GET method with no useragent header suspicious_request GET http://www.servicesitcy.com/yrcy/?Q2J=OzT5Kgogcfa2m/rN5I4GXN43s0X5NcPImpThPzCAgeve7satzTJ0I6SdUWkzkMw2WgeaZXMj&3f_XA=hpZXWrzxUPfpU460
suspicious_features GET method with no useragent header suspicious_request GET http://www.dairatwsl.com/yrcy/?Q2J=e/RF5WkoBurfC9A70hYVOLL0JiY85m+wPQ7mJBVhAbkMJKQBASQfBfdR/akm2hHY700q4f3X&3f_XA=hpZXWrzxUPfpU460
suspicious_features GET method with no useragent header suspicious_request GET http://www.shopvintageallure.com/yrcy/?Q2J=iR6icyAG5qbROQOE+puwuf7Eqk2frf0JSC5eXEZSJFvjgjfWFMvRs5gE1q0GoheX8zH1DpAA&3f_XA=hpZXWrzxUPfpU460
suspicious_features GET method with no useragent header suspicious_request GET http://www.certidaoja.com/yrcy/?Q2J=2STKbn6S1T/DsyanOK2Ha9M0t4IXH/juVnAoegb5vtHBf3PYbBf4xwu2U3ZJH68ioeHd6W0D&3f_XA=hpZXWrzxUPfpU460
suspicious_features GET method with no useragent header suspicious_request GET http://www.drmichaelirvine.com/yrcy/?Q2J=aw6RPX4C+h2jRvxSKzrdN77eUH6zVw/uBwCUGBgH66uHu3DhjC1vmmh9WqU0RPTTS1I3MpdI&3f_XA=hpZXWrzxUPfpU460
suspicious_features GET method with no useragent header suspicious_request GET http://www.kymyra.com/yrcy/?Q2J=3ogv6bzFHfLn7VYVVblVN0m+XFAqVDWG91g7sP77Zgb7+jX2xbPsIoUSZc/+sASQWUYNjkTA&3f_XA=hpZXWrzxUPfpU460
suspicious_features GET method with no useragent header suspicious_request GET http://www.skin4trade.com/yrcy/?Q2J=2ebRQTI/pNMxqCBe0h7MquAAnLVJt3LXhIxkkHZMBDwVd63pdWgA/U+BAqtzfUdwYvXWANqM&3f_XA=hpZXWrzxUPfpU460
suspicious_features GET method with no useragent header suspicious_request GET http://www.boraviajar.website/yrcy/?Q2J=xgKSkpShHNAI7tN4C4ihJGvxSZi5QC5kqEH1E7OrqywLRYaYWb/614Rhw66pXiS1YHUKYEcm&3f_XA=hpZXWrzxUPfpU460
request GET http://www.workerscompfl1.com/yrcy/?Q2J=v7uhzqxdVE4SqOwlUNUHJhsYFShuFcyud5s4FQa9exy1ydsUebHf3DsshfGZM9gXbmjgSaig&3f_XA=hpZXWrzxUPfpU460
request GET http://www.cletechsolutions.com/yrcy/?Q2J=6oj+cRAbTTzt/2NBJRHF0KzLhmFT0afQnvz1X6yVwGfVu9zh+SVYbLRsBqi/up4gZGLNczfN&3f_XA=hpZXWrzxUPfpU460
request GET http://www.servicesitcy.com/yrcy/?Q2J=OzT5Kgogcfa2m/rN5I4GXN43s0X5NcPImpThPzCAgeve7satzTJ0I6SdUWkzkMw2WgeaZXMj&3f_XA=hpZXWrzxUPfpU460
request GET http://www.dairatwsl.com/yrcy/?Q2J=e/RF5WkoBurfC9A70hYVOLL0JiY85m+wPQ7mJBVhAbkMJKQBASQfBfdR/akm2hHY700q4f3X&3f_XA=hpZXWrzxUPfpU460
request GET http://www.shopvintageallure.com/yrcy/?Q2J=iR6icyAG5qbROQOE+puwuf7Eqk2frf0JSC5eXEZSJFvjgjfWFMvRs5gE1q0GoheX8zH1DpAA&3f_XA=hpZXWrzxUPfpU460
request GET http://www.certidaoja.com/yrcy/?Q2J=2STKbn6S1T/DsyanOK2Ha9M0t4IXH/juVnAoegb5vtHBf3PYbBf4xwu2U3ZJH68ioeHd6W0D&3f_XA=hpZXWrzxUPfpU460
request GET http://www.drmichaelirvine.com/yrcy/?Q2J=aw6RPX4C+h2jRvxSKzrdN77eUH6zVw/uBwCUGBgH66uHu3DhjC1vmmh9WqU0RPTTS1I3MpdI&3f_XA=hpZXWrzxUPfpU460
request GET http://www.kymyra.com/yrcy/?Q2J=3ogv6bzFHfLn7VYVVblVN0m+XFAqVDWG91g7sP77Zgb7+jX2xbPsIoUSZc/+sASQWUYNjkTA&3f_XA=hpZXWrzxUPfpU460
request GET http://www.skin4trade.com/yrcy/?Q2J=2ebRQTI/pNMxqCBe0h7MquAAnLVJt3LXhIxkkHZMBDwVd63pdWgA/U+BAqtzfUdwYvXWANqM&3f_XA=hpZXWrzxUPfpU460
request GET http://www.boraviajar.website/yrcy/?Q2J=xgKSkpShHNAI7tN4C4ihJGvxSZi5QC5kqEH1E7OrqywLRYaYWb/614Rhw66pXiS1YHUKYEcm&3f_XA=hpZXWrzxUPfpU460
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2772
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73d90000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2772
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x74e71000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2772
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x76111000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2772
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x76001000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2772
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73c81000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2772
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x746d1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2772
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73c41000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2772
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x763a1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2772
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73aa1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2772
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73a71000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2772
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x76a81000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2772
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73991000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2772
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73461000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2772
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73424000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2772
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73462000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2772
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x10019000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2772
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x75291000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2772
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x750c1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2772
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x76451000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2772
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73381000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2772
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x742e1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2772
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x761a1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2772
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73a41000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2772
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73361000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2772
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x1001b000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2884
region_size: 3158016
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02220000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0
file C:\Users\test22\AppData\Local\Temp\nseE233.tmp\ibgiyuxot.dll
file C:\Users\test22\AppData\Local\Temp\nseE233.tmp\ibgiyuxot.dll
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2884
region_size: 167936
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000238
1 0 0
Process injection Process 2772 called NtSetContextThread to modify thread in remote process 2884
Time & API Arguments Status Return Repeated

NtSetContextThread

 registers.eip: 2003108292
registers.esp: 1638384
registers.edi: 0
registers.eax: 4314288
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x00000218
process_identifier: 2884
1 0 0
Lionic Trojan.Win32.Zapchast.4!c
Elastic malicious (high confidence)
MicroWorld-eScan Trojan.NSISX.Spy.Gen.2
FireEye Generic.mg.0362c14d2b138997
Sangfor Trojan.Win32.Save.a
Cybereason malicious.d2b138
Cyren W32/Injector.AOJ.gen!Eldorado
ESET-NOD32 a variant of Win32/Injector.EQKZ
APEX Malicious
Paloalto generic.ml
Kaspersky UDS:DangerousObject.Multi.Generic
BitDefender Trojan.GenericKD.47312389
Avast Win32:RATX-gen [Trj]
Tencent Win32.Trojan.Zapchast.Dks
Emsisoft Trojan.NSISX.Spy.Gen.2 (B)
McAfee-GW-Edition BehavesLike.Win32.Puper.dc
Sophos Mal/Generic-S
Ikarus Trojan.NSIS.Agent
Webroot W32.Trojan.Gen
GData Win32.Trojan-Stealer.FormBook.MWIBS5
Cynet Malicious (score: 100)
McAfee RDN/Generic.dx
MAX malware (ai score=83)
SentinelOne Static AI - Malicious PE
Fortinet W32/Injector.EQKA!tr
AVG Win32:RATX-gen [Trj]
dead_host 155.235.2.174:80
Time & API Arguments Status Return Repeated

CreateProcessInternalW

 thread_identifier: 2888
thread_handle: 0x00000218
process_identifier: 2884
current_directory:
filepath: C:\Users\test22\AppData\Local\Temp\rundll32.exe
track: 1
command_line: "C:\Users\test22\AppData\Local\Temp\rundll32.exe"
filepath_r: C:\Users\test22\AppData\Local\Temp\rundll32.exe
stack_pivoted: 0
creation_flags: 134217732 (CREATE_NO_WINDOW|CREATE_SUSPENDED)
inherit_handles: 0
process_handle: 0x00000238
1 1 0

NtGetContextThread

 thread_handle: 0x00000218
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2884
region_size: 167936
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000238
1 0 0

NtSetContextThread

 registers.eip: 2003108292
registers.esp: 1638384
registers.edi: 0
registers.eax: 4314288
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x00000218
process_identifier: 2884
1 0 0