Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Nov. 18, 2021, 1:51 p.m.	Nov. 18, 2021, 1:58 p.m.

Size	474.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5	`295acb5c48efe1c1e6c57889667737bd`
SHA256	`6769eaaf1f009ce02ca6d0e561637b273c3fe07ee9a65e8af82ac6aa433a120f`
CRC32	`5297D353`
ssdeep	`6144:yGityLkQFNJ+GemzEZc/aD5/WtG15yyMub0Ww/07ykBq2YehGM:3kQt+P6EKiDNEorw/073ImGM`
Yara	PE_Header_Zero - PE File Signature IsPE32 - (no description) Malicious_Library_Zero - Malicious_Library UPX_Zero - UPX packed file

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

No Suricata Alerts

No Suricata TLS

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Nov. 18, 2021, 1:49 p.m.		1	1	0

section

.ndata

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Nov. 18, 2021, 1:49 p.m.	process_identifier: 2776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73a12000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory Nov. 18, 2021, 1:49 p.m.	process_identifier: 2776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10015000 process_handle: 0xffffffff	1	0	0

file	C:\Users\test22\AppData\Local\Temp\nsrE33C.tmp\eieilwzjdg.dll

file	C:\Users\test22\AppData\Local\Temp\nsrE33C.tmp\eieilwzjdg.dll

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Nov. 18, 2021, 1:49 p.m.	process_identifier: 2884 region_size: 1392640 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x001f0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000001f4	1	0	0

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2776 created a remote thread in non-child process 2884
CreateRemoteThread Nov. 18, 2021, 1:49 p.m.	thread_identifier: 0 process_identifier: 2884 function_address: 0x001f5ce2 flags: 4 stack_size: 0 parameter: 0x00000000 process_handle: 0x000001f4	1	508	0

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2776 manipulating memory of non-child process 2884
NtAllocateVirtualMemory Nov. 18, 2021, 1:49 p.m.	process_identifier: 2884 region_size: 1392640 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x001f0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000001f4	1	0	0

Lionic	Trojan.Multi.Generic.4!c
Elastic	malicious (high confidence)
MicroWorld-eScan	Dropped:Trojan.GenericKDZ.80240
FireEye	Dropped:Trojan.GenericKDZ.80240
McAfee	Artemis!295ACB5C48EF
Cylance	Unsafe
Cybereason	malicious.c48efe
Cyren	W32/FakeDoc.AT.gen!Eldorado
Symantec	Trojan.Gen.9
ESET-NOD32	a variant of Win32/Injector.EQOG
APEX	Malicious
Paloalto	generic.ml
Kaspersky	UDS:DangerousObject.Multi.Generic
BitDefender	Dropped:Trojan.GenericKDZ.80240
Avast	Win32:InjectorX-gen [Trj]
Ad-Aware	Dropped:Trojan.GenericKDZ.80240
Emsisoft	Dropped:Trojan.GenericKDZ.80240 (B)
TrendMicro	TROJ_GEN.R002C0WKH21
McAfee-GW-Edition	BehavesLike.Win32.Dropper.gc
Sophos	Generic PUA GF (PUA)
Ikarus	Trojan.NSIS.Agent
Webroot	W32.Trojan.GenKDZ
Avira	TR/Injector.qkonn
MAX	malware (ai score=88)
Kingsoft	Win32.Troj.Undef.(kcloud)
Gridinsoft	Trojan.Win32.Fareit.vl!i
Microsoft	Trojan:Win32/Casdet!rfn
GData	Win32.Backdoor.AMRat.5QOHQQ
Cynet	Malicious (score: 100)
TrendMicro-HouseCall	TROJ_GEN.R002H0CKH21
SentinelOne	Static AI - Suspicious PE
Fortinet	W32/Injector.APR!tr
AVG	Win32:InjectorX-gen [Trj]

winlogon.exe