Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	March 30, 2023, 6:57 p.m.	March 30, 2023, 6:58 p.m.

Size	303.6KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5	`291a20fef6482b753cc6e9cc3d6bc292`
SHA256	`0b4d4ab86573d05f38f7d2fe83635c75da4462eacadd1859f00bdbdc3809f6fe`
CRC32	`03BF5B35`
ssdeep	`6144:/Ya6Nf153sKWZQ1Le/vdTNsPWXtxRVTbweyLodo9vrY8sJzOcuL:/Ynf1KKW68s+b7YeyL4A4JqX`
Yara	UPX_Zero - UPX packed file Malicious_Library_Zero - Malicious_Library IsPE32 - (no description) PE_Header_Zero - PE File Signature

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

No Suricata Alerts

No Suricata TLS

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx March 30, 2023, 6:57 p.m.		1	1	0

section

.ndata

Time & API	Arguments	Status
NtProtectVirtualMemory March 30, 2023, 6:57 p.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x732a2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 30, 2023, 6:57 p.m.	process_identifier: 2656 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01d90000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 30, 2023, 6:57 p.m.	process_identifier: 2656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01da0000 allocation_type: 12289 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 30, 2023, 6:57 p.m.	process_identifier: 2732 region_size: 3158016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007d0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1

file	C:\Users\test22\AppData\Local\Temp\ovqbvillg.exe

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW March 30, 2023, 6:57 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2656 called NtSetContextThread to modify thread in remote process 2732
NtSetContextThread March 30, 2023, 6:57 p.m.	registers.eip: 1995571652 registers.esp: 1638384 registers.edi: 0 registers.eax: 4199136 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000100 process_identifier: 2732	1	0	0

Bkav	W32.AIDetectNet.01
Lionic	Trojan.Win32.Agent.tshg
Elastic	malicious (high confidence)
Cynet	Malicious (score: 100)
ALYac	Trojan.Generic.33303320
Sangfor	Suspicious.Win32.Save.ins
CrowdStrike	win/malicious_confidence_100% (W)
Alibaba	TrojanSpy:Win32/Injector.eff182fc
K7GW	Trojan ( 005a18d81 )
K7AntiVirus	Trojan ( 005a18d81 )
Cyren	W32/Injector.BKZ.gen!Eldorado
Symantec	Packed.NSISPacker!g14
ESET-NOD32	a variant of Win32/Injector.ESVA
APEX	Malicious
Paloalto	generic.ml
Kaspersky	HEUR:Trojan-Spy.Win32.Noon.gen
BitDefender	Trojan.Generic.33303320
MicroWorld-eScan	Trojan.Generic.33303320
Avast	Win32:MalwareX-gen [Trj]
Tencent	Win32.Trojan-Spy.Noon.Adhl
Sophos	Generic ML PUA (PUA)
VIPRE	Trojan.Generic.33303320
TrendMicro	TROJ_GEN.R002C0PCS23
McAfee-GW-Edition	BehavesLike.Win32.VTFlooder.fc
Trapmine	malicious.moderate.ml.score
FireEye	Generic.mg.291a20fef6482b75
Emsisoft	Trojan.Generic.33303320 (B)
Ikarus	Trojan-Spy.FormBook
GData	Trojan.Generic.33303320
Avira	HEUR/AGEN.1337962
Antiy-AVL	Trojan/Win32.Injector
Gridinsoft	Trojan.Win32.Downloader.sa
Arcabit	Trojan.Generic.D1FC2B18
ZoneAlarm	HEUR:Trojan-Spy.Win32.Noon.gen
Microsoft	Trojan:Win32/Woreflint.A!cl
Google	Detected
AhnLab-V3	Trojan/Win.Agent.C5382526
McAfee	Artemis!291A20FEF648
MAX	malware (ai score=88)
TrendMicro-HouseCall	TROJ_GEN.R002C0PCS23
Rising	Trojan.Nsisinject!8.11178 (TFE:5:ylWiJlvU7gG)
Yandex	Trojan.Injector!dabhsl1IOhA
SentinelOne	Static AI - Suspicious PE
Fortinet	W32/ShellcodeRunner.CA!tr
AVG	Win32:MalwareX-gen [Trj]
Panda	Trj/GdSda.A

vbc.exe