Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Nov. 20, 2021, 6:42 p.m.	Nov. 20, 2021, 6:42 p.m.

Size	593.5KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`4041acd5c5461e4a2df43ea35b1d6555`
SHA256	`8920dc59a6ecffed62f983444825f753b5551089d8635989768e504a6dd7d450`
CRC32	`49A77C43`
ssdeep	`12288:GUleFHQAHvQionS7icgl7J+lr42FXgUDZZSZ2Q:hngjSFQgUVZ`
Yara	Malicious_Packer_Zero - Malicious Packer PE_Header_Zero - PE File Signature OS_Processor_Check_Zero - OS Processor Check IsPE32 - (no description) Malicious_Library_Zero - Malicious_Library UPX_Zero - UPX packed file

pestudio.exe "C:\Users\test22\AppData\Local\Temp\pestudio.exe"
2768

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Nov. 20, 2021, 6:42 p.m.		1	1	0

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

None

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Nov. 20, 2021, 6:42 p.m.	stacktrace: CtfImeIsIME+0x36fd DllUnregisterServer-0xf9d9 msctf+0x2d08c @ 0x7659d08c TF_GetGlobalCompartment+0x3dfd CtfImeIsIME-0x344 msctf+0x2964b @ 0x7659964b TF_GetInputScope+0xf65 CtfImeDestroyThreadMgr-0x25ae msctf+0x14d6b @ 0x76584d6b TF_GetInputScope+0x3176 CtfImeDestroyThreadMgr-0x39d msctf+0x16f7c @ 0x76586f7c CtfImeDestroyInputContext+0x280 TF_CanUninitialize-0x1c msctf+0x1e825 @ 0x7658e825 TF_GetInputScope+0x21fc CtfImeDestroyThreadMgr-0x1317 msctf+0x16002 @ 0x76586002 TF_GetInputScope+0x21e2 CtfImeDestroyThreadMgr-0x1331 msctf+0x15fe8 @ 0x76585fe8 TF_GetInputScope+0xbdd CtfImeDestroyThreadMgr-0x2936 msctf+0x149e3 @ 0x765849e3 TF_GetInputScope+0x1c1a CtfImeDestroyThreadMgr-0x18f9 msctf+0x15a20 @ 0x76585a20 RtlIsCurrentThreadAttachExempt+0x5f TpCheckTerminateWorker-0x37 ntdll+0x39a91 @ 0x77679a91 LdrShutdownProcess+0x97 RtlDetectHeapLeaks-0x1bb ntdll+0x58f10 @ 0x77698f10 RtlExitUserProcess+0x74 LdrShutdownProcess-0x1d ntdll+0x58e5c @ 0x77698e5c ExitProcess+0x15 TerminateThread-0xa kernel32+0x17a25 @ 0x766e7a25 pestudio+0x545b8 @ 0x1745b8 pestudio+0x547a5 @ 0x1747a5 pestudio+0x547ce @ 0x1747ce pestudio+0x52e77 @ 0x172e77 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x766e33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: ff 51 0c 8b 45 fc 89 be 8c 04 00 00 3b c7 74 25 exception.symbol: TF_GetCompatibleKeyboardLayout+0x5885 TF_IsCtfmonRunning-0xfd3 msctf+0x43ef4 exception.instruction: call dword ptr [ecx + 0xc] exception.module: MSCTF.dll exception.exception_code: 0xc0000005 exception.offset: 278260 exception.address: 0x765b3ef4 registers.esp: 3143052 registers.edi: 0 registers.eax: 33526552 registers.ebp: 3143080 registers.edx: 1 registers.ebx: 0 registers.esi: 5114360 registers.ecx: 1939879388	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

Nov. 20, 2021, 6:42 p.m.

stacktrace:

CtfImeIsIME+0x36fd DllUnregisterServer-0xf9d9 msctf+0x2d08c @ 0x7659d08c
TF_GetGlobalCompartment+0x3dfd CtfImeIsIME-0x344 msctf+0x2964b @ 0x7659964b
TF_GetInputScope+0xf65 CtfImeDestroyThreadMgr-0x25ae msctf+0x14d6b @ 0x76584d6b
TF_GetInputScope+0x3176 CtfImeDestroyThreadMgr-0x39d msctf+0x16f7c @ 0x76586f7c
CtfImeDestroyInputContext+0x280 TF_CanUninitialize-0x1c msctf+0x1e825 @ 0x7658e825
TF_GetInputScope+0x21fc CtfImeDestroyThreadMgr-0x1317 msctf+0x16002 @ 0x76586002
TF_GetInputScope+0x21e2 CtfImeDestroyThreadMgr-0x1331 msctf+0x15fe8 @ 0x76585fe8
TF_GetInputScope+0xbdd CtfImeDestroyThreadMgr-0x2936 msctf+0x149e3 @ 0x765849e3
TF_GetInputScope+0x1c1a CtfImeDestroyThreadMgr-0x18f9 msctf+0x15a20 @ 0x76585a20
RtlIsCurrentThreadAttachExempt+0x5f TpCheckTerminateWorker-0x37 ntdll+0x39a91 @ 0x77679a91
LdrShutdownProcess+0x97 RtlDetectHeapLeaks-0x1bb ntdll+0x58f10 @ 0x77698f10
RtlExitUserProcess+0x74 LdrShutdownProcess-0x1d ntdll+0x58e5c @ 0x77698e5c
ExitProcess+0x15 TerminateThread-0xa kernel32+0x17a25 @ 0x766e7a25
pestudio+0x545b8 @ 0x1745b8
pestudio+0x547a5 @ 0x1747a5
pestudio+0x547ce @ 0x1747ce
pestudio+0x52e77 @ 0x172e77
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x766e33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5

exception.instruction_r: ff 51 0c 8b 45 fc 89 be 8c 04 00 00 3b c7 74 25
exception.symbol: TF_GetCompatibleKeyboardLayout+0x5885 TF_IsCtfmonRunning-0xfd3 msctf+0x43ef4
exception.instruction: call dword ptr [ecx + 0xc]
exception.module: MSCTF.dll
exception.exception_code: 0xc0000005
exception.offset: 278260
exception.address: 0x765b3ef4
registers.esp: 3143052
registers.edi: 0
registers.eax: 33526552
registers.ebp: 3143080
registers.edx: 1
registers.ebx: 0
registers.esi: 5114360
registers.ecx: 1939879388

Allocates read-write-execute memory (usually to unpack itself) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Nov. 20, 2021, 6:42 p.m.	process_identifier: 2768 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73c82000 process_handle: 0xffffffff	1	0	0

File has been identified by one AntiVirus engine on VirusTotal as malicious (1 event)

APEX

Malicious

pestudio.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All