popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

GF-DFTFYTSKFHK437943.msi

Generic Malware Malicious Packer Malicious Library OS Processor Check MSOffice File
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6403_us Nov. 10, 2021, 9:40 a.m. Nov. 10, 2021, 9:46 a.m.
Size 8.2MB
Type Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Dec 11 11:47:44 2009, Security: 0, Code page: 1252, Revision Number: {A7D82A59-0CDC-40BF-A106-699B7162874A}, Number of Words: 10, Subject: windows management, Author: windows erro memory management, Name of Creating Application: Advanced Installer 16.5 build 8df7ad95, Template: ;1046, Comments: windows erro management, Title: Installation Database, Keywords: Installer, MSI, Database, Number of Pages: 200
MD5 1fbb973e9856e9f89216fc609f9e6aa1
SHA256 dd1e5bb09e6cccaa0255d43ad97dd2e7dd5131000248d90fa1843511c1adcd12
CRC32 A1FAA2E9
ssdeep 196608:eKDKIlF3EyI5a1xWF5ZjUL7uNrjEi4KvcrAf5nwJ:zWYFTwbvI3uNrjEgkrAS
Yara
  • Malicious_Packer_Zero - Malicious Packer
  • Generic_Malware_Zero - Generic Malware
  • OS_Processor_Check_Zero - OS Processor Check
  • Win32_Trojan_Gen_2_0904B0_Zero - Win32 Trojan Gen
  • Malicious_Library_Zero - Malicious_Library
  • Microsoft_Office_File_Zero - Microsoft Office File

Name Response Post-Analysis Lookup
doc-0g-8k-docstext.googleusercontent.com
CNAME googlehosted.l.googleusercontent.com
A 142.250.204.129
216.58.197.193
docs.google.com
A 142.250.66.78
142.250.196.110
ip-api.com
A 208.95.112.1
208.95.112.1
IP Address Status Action
142.250.204.129 Active Moloch
142.250.66.78 Active Moloch
164.124.101.2 Active Moloch
208.95.112.1 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.103:49181 -> 142.250.66.78:443 906200056 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.103:49182 -> 142.250.204.129:443 906200056 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.103:49183 -> 208.95.112.1:80 2022082 ET POLICY External IP Lookup ip-api.com Device Retrieving External IP Address Detected
TCP 192.168.56.103:49183 -> 208.95.112.1:80 2022082 ET POLICY External IP Lookup ip-api.com Device Retrieving External IP Address Detected

Suricata TLS

Flow Issuer Subject Fingerprint
TLSv1
192.168.56.103:49181
142.250.66.78:443 		C=US, O=Google Trust Services LLC, CN=GTS CA 1C3 CN=*.google.com 16:80:69:27:68:35:54:61:3c:a2:bd:00:dc:49:ed:bb:d7:df:ee:cf
TLSv1
192.168.56.103:49182
142.250.204.129:443 		C=US, O=Google Trust Services LLC, CN=GTS CA 1C3 CN=*.googleusercontent.com a3:0c:85:1d:48:7f:3c:72:8f:9a:23:c7:23:f8:e4:03:ae:d0:4d:dc

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
request GET http://ip-api.com/json/
request GET https://docs.google.com/document/d/10HvsTYa9mOZkmz5pyA-Za4wVTeJi4XzWOBmXG4x--SQ/export?format=txt
request GET https://doc-0g-8k-docstext.googleusercontent.com/export/kr014gggnh0d9kvhc4c60ctnp0/qobs2n84j988rv25et34agsloo/1636505080000/109814536751784867157/*/10HvsTYa9mOZkmz5pyA-Za4wVTeJi4XzWOBmXG4x--SQ?format=txt
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2408
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73811000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2408
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x737f1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2408
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73661000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2408
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72e91000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2408
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73641000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2408
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73631000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2408
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73611000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2408
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72e41000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2408
region_size: 1179648
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04200000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2408
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x042e0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2408
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72e32000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2408
region_size: 655360
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x040a0000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2408
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04100000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1236
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000006650000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0
Time & API Arguments Status Return Repeated

GetDiskFreeSpaceExW

 total_number_of_free_bytes: 10226454528
free_bytes_available: 10226454528
root_path: C:\
total_number_of_bytes: 34252779520
1 1 0

GetDiskFreeSpaceW

 number_of_free_clusters: 2496693
sectors_per_cluster: 8
bytes_per_sector: 512
root_path: C:\
total_number_of_clusters: 8362495
1 1 0

GetDiskFreeSpaceExW

 total_number_of_free_bytes: 0
free_bytes_available: 10218524672
root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Explorer
total_number_of_bytes: 0
1 1 0
domain ip-api.com
domain docs.google.com
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeShutdownPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeCreateTokenPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeAssignPrimaryTokenPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeMachineAccountPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeTcbPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeSecurityPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeTakeOwnershipPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeLoadDriverPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeBackupPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeRestorePrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeShutdownPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeRemoteShutdownPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeEnableDelegationPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeManageVolumePrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeCreateGlobalPrivilege
1 1 0
FireEye Gen:Variant.Bulz.910976
Arcabit Trojan.Bulz.DDE680
Cyren W32/Patched.S.gen!Eldorado
ESET-NOD32 a variant of Win32/Spy.Casbaneiro.CV
Kaspersky UDS:Trojan-Banker.Win32.Ponteiro
BitDefender Gen:Variant.Bulz.910976
NANO-Antivirus Virus.Win32.Gen-Crypt.ccnc
Sophos Generic ML PUA (PUA)
McAfee-GW-Edition Artemis!Trojan
Emsisoft Gen:Variant.Bulz.910976 (B)
Microsoft Trojan:Win32/Sabsik.FL.B!ml
GData Gen:Variant.Bulz.910976
BitDefenderTheta Gen:NN.ZedlaF.34266.@@8@aGensdai
ALYac Gen:Variant.Bulz.910976
MAX malware (ai score=86)
VBA32 BScope.Trojan.Emotet