popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

locacem2.1.exe

Malicious Library UPX PE32 PE File
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 April 18, 2023, 10:48 a.m. April 18, 2023, 10:49 a.m.
Size 297.3KB
Type PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5 241b78d02640dea21e13c5bb27f3070c
SHA256 b32ed7458086ae3a05007a54d6660b9ce6382bd82af78c2c56f856ea6f2d95a3
CRC32 B2F4C273
ssdeep 6144:gYa6K+L5KsbfC1Rx67xdAhkmIG9OtkskBU2HJjteYwqQQcXt26:gYk+L5REx6tdAhf9ObUU2HwqQQcI6
Yara
  • UPX_Zero - UPX packed file
  • IsPE32 - (no description)
  • PE_Header_Zero - PE File Signature
  • Malicious_Library_Zero - Malicious_Library

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
section .ndata
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2556
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x732a2000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2624
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00440000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2624
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00450000
allocation_type: 12289 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2704
region_size: 3158016
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00a40000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0
file C:\Users\test22\AppData\Local\Temp\tgowi.exe
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
Process injection Process 2624 called NtSetContextThread to modify thread in remote process 2704
Time & API Arguments Status Return Repeated

NtSetContextThread

 registers.eip: 1995571652
registers.esp: 1638384
registers.edi: 0
registers.eax: 4199136
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x000000d4
process_identifier: 2704
1 0 0
Lionic Trojan.Win32.Agent.tshg
MicroWorld-eScan Trojan.Generic.33454444
FireEye Generic.mg.241b78d02640dea2
ALYac Trojan.Generic.33454444
Malwarebytes Malware.AI.3995303870
VIPRE Trojan.Generic.33454444
Sangfor Spyware.Win32.Injector.V08a
CrowdStrike win/malicious_confidence_100% (W)
Alibaba TrojanSpy:Win32/Injector.220f04f2
K7AntiVirus Trojan ( 005a37e21 )
VirIT Trojan.Win32.GenusT.EGFI
Symantec Packed.NSISPacker!g14
Elastic malicious (high confidence)
ESET-NOD32 a variant of Win32/Injector.ESWF
Cynet Malicious (score: 100)
APEX Malicious
Paloalto generic.ml
BitDefender Trojan.Generic.33454444
Sophos Mal/Generic-S
Avira HEUR/AGEN.1337959
MAX malware (ai score=85)
Antiy-AVL Trojan/Win32.Injector
Gridinsoft Trojan.Win32.Downloader.sa
Arcabit Trojan.Generic.D1FE796C
ZoneAlarm HEUR:Trojan-Spy.Win32.Noon.gen
Google Detected
AhnLab-V3 Trojan/Win.NSISInject.R495658
McAfee RDN/Generic.dx
Cylance unsafe
Panda Trj/Chgt.AD
TrendMicro-HouseCall TROJ_GEN.R002H0CDF23
Tencent Win32.Trojan-Spy.Noon.Bplw
Ikarus Trojan-Spy.FormBook
Fortinet W32/Injector.ESVZ!tr
DeepInstinct MALICIOUS