popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

Ego2.exe

UPX PE32 MSOffice File PE File
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 Nov. 30, 2021, 11:12 a.m. Nov. 30, 2021, 11:51 a.m.
Size 172.0KB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 d5438415ed71322922b70ac85ad02f64
SHA256 3d7e2744ac50ae3ff7fcdbf97b4f70af8236ade6c3d2e82004f0641be304f83b
CRC32 4E8B7C50
ssdeep 3072:pNWDBrYmzGMDs6xZl/LkZ9sfNyvBOaH+DMsU0BrvUyhXi148ilkK:pIBrzzDo6xZlDkZ4I5YLJsyhXi1A3
Yara
  • PE_Header_Zero - PE File Signature
  • IsPE32 - (no description)
  • UPX_Zero - UPX packed file

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

__exception__

 stacktrace: 
EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf
rtcDoEvents+0x131 __vbaError-0x626 msvbvm60+0xce228 @ 0x72a0e228

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0xc000008f
exception.offset: 46887
exception.address: 0x760cb727
registers.esp: 1636596
registers.edi: 6506096
registers.eax: 1636596
registers.ebp: 1636676
registers.edx: 0
registers.ebx: 6506096
registers.esi: 6506096
registers.ecx: 2
1 0 0
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2776
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73c11000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2776
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73b31000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2776
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73aa1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2776
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73a64000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2776
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73b32000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2776
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73bf1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2776
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73331000
process_handle: 0xffffffff
1 0 0
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2776
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 24576
protection: 32 (PAGE_EXECUTE_READ)
base_address: 0x004d0000
process_handle: 0xffffffff
1 0 0
section {u'size_of_data': u'0x00024000', u'virtual_address': u'0x00008000', u'entropy': 7.679002515038368, u'name': u'.rsrc', u'virtual_size': u'0x00023370'} entropy 7.67900251504 description A section with a high entropy has been found
entropy 0.857142857143 description Overall entropy of this PE file is high
registry HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify
description attempts to disable user access control registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA
description disables user access control notifications registry HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify
Bkav W32.AIDetect.malware2
Elastic malicious (high confidence)
DrWeb Trojan.DownLoader13.38206
ClamAV Win.Trojan.004be7cd-6760703-0
FireEye Generic.mg.d5438415ed713229
CAT-QuickHeal Trojan.VBCrypt.MF.50
McAfee BackDoor-FDDH!D5438415ED71
Cylance Unsafe
Sangfor Trojan.Win32.Save.a
K7AntiVirus Trojan ( 004be7cd1 )
K7GW Trojan ( 004be7cd1 )
Cybereason malicious.5ed713
BitDefenderTheta Gen:NN.ZevbaF.34062.km0@amOi!hoO
Cyren W32/Injector.ADM.gen!Eldorado
Symantec ML.Attribute.HighConfidence
ESET-NOD32 a variant of Win32/Injector.BZAS
TrendMicro-HouseCall TROJ_GEN.R002C0PKT21
Paloalto generic.ml
Cynet Malicious (score: 100)
Kaspersky Trojan.Win32.Inject.uyjy
BitDefender Gen:Variant.Symmi.15294
NANO-Antivirus Trojan.Win32.Inject.dyksvy
MicroWorld-eScan Gen:Variant.Symmi.15294
Avast Win32:Trojan-gen
Tencent Win32.Trojan.Inject.Wpst
Ad-Aware Gen:Variant.Symmi.15294
Sophos Mal/Generic-S
TrendMicro TROJ_GEN.R002C0PKT21
McAfee-GW-Edition BehavesLike.Win32.Trojan.cc
Emsisoft Trojan.Injector (A)
Ikarus Win32.Outbreak
Jiangmin Trojan/Inject.axkc
Webroot W32.Trojan.Gen
Avira TR/Dropper.Gen
Antiy-AVL Trojan/Generic.ASMalwS.156D6C7
Kingsoft Win32.Troj.Inject.uy.(kcloud)
Gridinsoft Trojan.Win32.Injector.dd!n
Microsoft VirTool:Win32/VBInject
ViRobot Trojan.Win32.Inject.176128.D
GData Gen:Variant.Symmi.15294
TACHYON Trojan/W32.VB-Injector.176128
AhnLab-V3 Malware/Gen.RL_Generic.R273914
Acronis suspicious
VBA32 TScope.Trojan.VB
ALYac Gen:Variant.Symmi.15294
MAX malware (ai score=88)
Malwarebytes Trojan.Injector
APEX Malicious
Yandex Trojan.GenAsa!bUFpJPpMDL4
SentinelOne Static AI - Malicious PE