popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

aaa.exe

Gen1 Malicious Library UPX Malicious Packer PE File PE32 DLL
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 Sept. 23, 2022, 5:32 p.m. Sept. 23, 2022, 5:37 p.m.
Size 1.7MB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 7b74e4fb9a95f41d5d9b4a71a5fe40b9
SHA256 0ec87a7f943ab72d08aeb957d33dd348ab7cf45052ab7a31bcce33ff7a095837
CRC32 A6D662D7
ssdeep 12288:cbVyGrARa7TAPZfMiuU9YAioFOVdgnFoA7aXKPXPiXuHNHGb6bH/zx/GCLW/nh/B:cb8BwmZ33qAioFmymA7yEpGLm+FFaO
Yara
  • IsPE32 - (no description)
  • Win32_Trojan_Gen_2_0904B0_Zero - Win32 Trojan Gen
  • Malicious_Library_Zero - Malicious_Library
  • UPX_Zero - UPX packed file
  • Win32_Trojan_Gen_1_0904B0_Zero - Win32 Trojan Emotet
  • PE_Header_Zero - PE File Signature
  • Malicious_Packer_Zero - Malicious Packer

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
section .ndata
Time & API Arguments Status Return Repeated

__exception__

 stacktrace: 
0x1e0f497b
Int64Op+0x12e0 system+0x2c59 @ 0x74302c59

exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0x458d0040
registers.esp: 1634356
registers.edi: 16
registers.eax: 0
registers.ebp: 1635788
registers.edx: 0
registers.ebx: 0
registers.esi: 16
registers.ecx: 504321512
1 0 0
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2780
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x74305000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3032
region_size: 2293760
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02080000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3032
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02270000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3032
region_size: 16384
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02271000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3032
region_size: 69632
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02275000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3032
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02286000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3032
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02287000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3032
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x776df000
process_handle: 0xffffffff
1 0 0
file C:\Users\test22\AppData\Local\Temp\nsvE1B6.tmp\System.dll
file C:\Users\test22\AppData\Local\Temp\nsvE1B6.tmp\System.dll
buffer Buffer with sha1: 41fa5aebc149d9c428b34b4ba11b2772c7440d4d
Process injection Process 2780 called NtSetContextThread to modify thread in remote process 3032
Time & API Arguments Status Return Repeated

NtSetContextThread

 registers.eip: 2003108292
registers.esp: 1638384
registers.edi: 0
registers.eax: 4297839
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x000001e4
process_identifier: 3032
1 0 0
Lionic Trojan.Win32.Agent.Y!c
MicroWorld-eScan Gen:Variant.Nemesis.10729
McAfee Artemis!7B74E4FB9A95
Cylance Unsafe
Sangfor Trojan.Win32.Agent.V1tr
BitDefender Gen:Variant.Nemesis.10729
Arcabit Trojan.Nemesis.D29E9
Symantec Downloader
Elastic malicious (high confidence)
Cynet Malicious (score: 99)
APEX Malicious
Paloalto generic.ml
Kaspersky HEUR:Trojan-Dropper.Win32.Agent.gen
Avast FileRepMalware [Ransom]
Tencent Win32.Trojan-Dropper.Agent.Ddhl
Emsisoft Gen:Variant.Nemesis.10729 (B)
F-Secure Heuristic.HEUR/AGEN.1252584
VIPRE Gen:Variant.Nemesis.10729
McAfee-GW-Edition BehavesLike.Win32.Generic.tm
FireEye Gen:Variant.Nemesis.10729
Avira HEUR/AGEN.1252584
Microsoft Trojan:Win32/Sabsik.FL.B!ml
GData Gen:Variant.Nemesis.10729
ALYac Gen:Variant.Nemesis.10729
MAX malware (ai score=88)
TrendMicro-HouseCall TROJ_GEN.R002H07IN22
Rising Trojan.Injector/NSIS!1.BFBB (CLASSIC)
Fortinet NSIS/Injector.AOW!tr
AVG FileRepMalware [Ransom]
CrowdStrike win/malicious_confidence_60% (W)