popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

711b8121-1755-40dd-8840-d49d5f12d1f1

Malicious Library UPX OS Processor Check PE32 PE File
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 March 20, 2023, 9:42 a.m. March 20, 2023, 10:06 a.m.
Size 7.5MB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 fb0deff37fe12bbc4f0c1fe21e2d15ef
SHA256 ece100b8240f7eb032cb319a019eba1552ac19f563a291cf8422b1090ccf9b76
CRC32 551392D5
ssdeep 196608:bdj1WcTeKCVpVAKegYv6Pvz7xCVfQeYDprOtpN6x1Cd:RReKaAlRgxMfvihOwxy
Yara
  • UPX_Zero - UPX packed file
  • Malicious_Library_Zero - Malicious_Library
  • OS_Processor_Check_Zero - OS Processor Check
  • IsPE32 - (no description)
  • PE_Header_Zero - PE File Signature

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
section .PB
section .o)=
section .$w^
Time & API Arguments Status Return Repeated

__exception__

 stacktrace: 
711b8121-1755-40dd-8840-d49d5f12d1f1+0x59a95a @ 0x6aa95a
0x7efde000

exception.instruction_r: 90 56 52 9c be 44 1c d7 60 ba 14 08 49 21 53 8b
exception.symbol: 711b8121-1755-40dd-8840-d49d5f12d1f1+0x742fcc
exception.instruction: nop
exception.module: 711b8121-1755-40dd-8840-d49d5f12d1f1.exe
exception.exception_code: 0x80000004
exception.offset: 7614412
exception.address: 0x852fcc
registers.esp: 14545840
registers.edi: 0
registers.eax: 3221724514
registers.ebp: 14547864
registers.edx: 42
registers.ebx: 1114112
registers.esi: 0
registers.ecx: 1968898048
1 0 0
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2560
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00ef0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2560
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00f00000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2560
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00f10000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2560
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00f20000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2560
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00f30000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2560
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00f40000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2560
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00fd0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2560
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00fe0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0
section {u'size_of_data': u'0x00700e00', u'virtual_address': u'0x00432000', u'entropy': 7.974545786723369, u'name': u'.$w^', u'virtual_size': u'0x00700c30'} entropy 7.97454578672 description A section with a high entropy has been found
entropy 0.936838667538 description Overall entropy of this PE file is high
Time & API Arguments Status Return Repeated

NtCreateFile

 create_disposition: 1 (FILE_OPEN)
file_handle: 0x000000b0
filepath: \??\PhysicalDrive0
desired_access: 0x00100080 (FILE_READ_ATTRIBUTES|SYNCHRONIZE)
file_attributes: 0 ()
filepath_r: \??\PhysicalDrive0
create_options: 96 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT)
status_info: 0 (FILE_SUPERSEDED)
share_access: 3 (FILE_SHARE_READ|FILE_SHARE_WRITE)
1 0 0

DeviceIoControl

 input_buffer:
control_code: 458752 (IOCTL_DISK_GET_DRIVE_GEOMETRY)
device_handle: 0x000000b0
output_buffer: Q ÿ?
1 1 0
Elastic malicious (high confidence)
FireEye Generic.mg.fb0deff37fe12bbc
Malwarebytes Malware.AI.2943530042
Sangfor Trojan.Win32.Save.a
CrowdStrike win/malicious_confidence_90% (W)
BitDefenderTheta Gen:NN.ZexaF.36344.@J0@aagvjPpi
Symantec ML.Attribute.HighConfidence
ESET-NOD32 a variant of Win32/Packed.VMProtect.AHG
Cynet Malicious (score: 100)
APEX Malicious
Avast Win32:Trojan-gen
Sophos Generic ML PUA (PUA)
McAfee-GW-Edition BehavesLike.Win32.Generic.wc
Trapmine malicious.high.ml.score
SentinelOne Static AI - Suspicious PE
Webroot W32.Trojan.Gen
Avira HEUR/AGEN.1254260
Microsoft Trojan:Win32/Caynamer.A!ml
Cylance unsafe
Rising Trojan.Generic@AI.100 (RDML:El+nAknUmndjOz85+GZe6A)
AVG Win32:Trojan-gen
Panda Trj/Agent.MK