popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

sistem.exe_11849.exe

Malicious Library UPX PE File DLL OS Processor Check PE32
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6402 Jan. 20, 2022, 11:19 a.m. Jan. 20, 2022, 11:21 a.m.
Size 182.7KB
Type PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5 d121a4b3c39ae2c993ad5d00a8d69a0b
SHA256 a9bbebb6cd60b05199a52b5367bad281b610925605e3e55411ca84bf44d3ab8e
CRC32 CFD27D6A
ssdeep 3072:PbG7N2kDTHUpou13bAaP0BdBpzDnY+TkpCATe+c+ySjGSMD1yBT+Fsj5ou3HH6IG:PbE/HUllEdbHY+TLATe+c+ySGyQwHawG
Yara
  • PE_Header_Zero - PE File Signature
  • IsPE32 - (no description)
  • Malicious_Library_Zero - Malicious_Library
  • UPX_Zero - UPX packed file

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
164.124.101.2 Active Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
section .ndata
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2216
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x74252000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2216
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x74303000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2216
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x742f5000
process_handle: 0xffffffff
1 0 0
file C:\Users\test22\AppData\Local\Temp\nskEDEB.tmp\wplugin.dll
file C:\Users\test22\AppData\Local\Temp\nskEDEB.tmp\System.dll
file C:\Users\test22\AppData\Local\Temp\nskEDEB.tmp\System.dll
file C:\Users\test22\AppData\Local\Temp\nskEDEB.tmp\wplugin.dll
Time & API Arguments Status Return Repeated

Process32NextW

 snapshot_handle: 0x00000274
process_name: SearchProtocolHost.exe
process_identifier: 1168
1 1 0

Process32NextW

 snapshot_handle: 0x00000274
process_name: mobsync.exe
process_identifier: 2472
1 1 0

Process32NextW

 snapshot_handle: 0x00000274
process_name: sdclt.exe
process_identifier: 2816
1 1 0

Process32NextW

 snapshot_handle: 0x00000274
process_name: taskhost.exe
process_identifier: 2924
1 1 0

Process32NextW

 snapshot_handle: 0x00000274
process_name: conhost.exe
process_identifier: 3064
1 1 0

Process32NextW

 snapshot_handle: 0x00000274
process_name: sistem.exe_11849.exe
process_identifier: 2216
1 1 0
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
process sistem.exe_11849.exe
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\SpyNet