Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	March 2, 2023, 9:35 a.m.	March 2, 2023, 9:43 a.m.

Size	192.1KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5	`15ee8e51c501df2614eb8f81a4f5fde6`
SHA256	`4f28ee7984759256fdaf5b2a190a5a16f6df2925248550dae5d85fdce9e027b6`
CRC32	`D7191093`
ssdeep	`6144:vYa6V+NeSpPUP373Uu63pZQIulcgJBfbfOvPE+UgLi1:vY/epcbURgIhgJxSvPQF1`
Yara	UPX_Zero - UPX packed file IsPE32 - (no description) PE_Header_Zero - PE File Signature Malicious_Library_Zero - Malicious_Library

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

No Suricata Alerts

No Suricata TLS

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx March 2, 2023, 9:35 a.m.		1	1	0

section

.ndata

Time & API	Arguments	Status	Return	Repeated
__exception__ March 2, 2023, 9:35 a.m.	stacktrace: RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0xffd45738 registers.esp: 4651180 registers.edi: 0 registers.eax: 1968976824 registers.ebp: 4651188 registers.edx: 4292106040 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0	1	0	0

Time & API	Arguments	Status
NtProtectVirtualMemory March 2, 2023, 9:35 a.m.	process_identifier: 2544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72d62000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 2, 2023, 9:35 a.m.	process_identifier: 2652 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 16384 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00536000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 2, 2023, 9:35 a.m.	process_identifier: 2652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00320000 allocation_type: 12289 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1

file	C:\Users\test22\AppData\Local\Temp\bakfhb.exe
file	C:\Users\test22\AppData\Roaming\luqaajee\njjsccxhqq.exe

file	C:\Users\test22\AppData\Local\Temp\bakfhb.exe

file	C:\Users\test22\AppData\Local\Temp\bakfhb.exe

reg_key

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\mvvrbbkgp

reg_value

C:\Users\test22\AppData\Roaming\luqaajee\njjsccxhqq.exe "C:\Users\test22\AppData\Local\Temp\bakfhb.exe" C:\Users\test22\AppData\L

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2652 called NtSetContextThread to modify thread in remote process 2704
NtSetContextThread March 2, 2023, 9:35 a.m.	registers.eip: 1995571652 registers.esp: 4651280 registers.edi: 0 registers.eax: 677688 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000000e4 process_identifier: 2704	1	0	0

Bkav	W32.AIDetectNet.01
Lionic	Trojan.Win32.Agent.tshg
Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.Garf.Gen.6
FireEye	Generic.mg.15ee8e51c501df26
ALYac	Trojan.Garf.Gen.6
Cylance	unsafe
CrowdStrike	win/malicious_confidence_100% (D)
Arcabit	Trojan.Garf.Gen.6
Cyren	W32/Injector.BKA.gen!Eldorado
Symantec	Packed.NSISPacker!g14
ESET-NOD32	a variant of Win32/Injector.ESSW
APEX	Malicious
Paloalto	generic.ml
Kaspersky	UDS:DangerousObject.Multi.Generic
BitDefender	Trojan.Garf.Gen.6
Avast	FileRepMalware [Misc]
Sophos	Generic ML PUA (PUA)
DrWeb	Trojan.Loader.1322
VIPRE	Trojan.Garf.Gen.6
McAfee-GW-Edition	BehavesLike.Win32.Dropper.cc
Trapmine	malicious.moderate.ml.score
Emsisoft	Trojan.Garf.Gen.6 (B)
Ikarus	Trojan.Inject
MAX	malware (ai score=85)
Microsoft	TrojanSpy:Win32/AveMaria.BM
GData	Trojan.Garf.Gen.6
Google	Detected
McAfee	Artemis!15EE8E51C501
Rising	Trojan.Injector!8.C4 (CLOUD)
Fortinet	W32/Injector.ESSR!tr
BitDefenderTheta	Gen:NN.ZexaF.36308.gqW@aCCN3rb
AVG	FileRepMalware [Misc]
Cybereason	malicious.f9070b

ojekon2.1.exe