Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	May 30, 2023, 5:11 p.m.	May 30, 2023, 5:31 p.m.

Size	168.5KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5	`d9e03dba3c5cce141156dc0cdd710b31`
SHA256	`251aef3ea7ac5458e72e00f5c2ab96203de6467ed11871f29070904bc675739c`
CRC32	`7A48D998`
ssdeep	`3072:3fY/TU9fE9PEtuwb+/mGGUHUGOGj2/2REKu5Yc6R0r3/f4Lxd0:vYa6E8mGGUHIGquRSvb/fJ`
Yara	UPX_Zero - UPX packed file Malicious_Library_Zero - Malicious_Library NSIS_Installer - Null Soft Installer PE_Header_Zero - PE File Signature IsPE32 - (no description)

smss.exe "C:\Users\test22\AppData\Local\Temp\smss.exe"
1680
- smss.exe "C:\Users\test22\AppData\Local\Temp\smss.exe"
  2104
explorer.exe C:\Windows\Explorer.EXE
1236

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

No Suricata Alerts

No Suricata TLS

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx May 30, 2023, 5:11 p.m.		1	1	0

section

.ndata

Time & API	Arguments	Status	Return	Repeated
__exception__ May 30, 2023, 5:11 p.m.	stacktrace: smss+0x33ff @ 0x4033ff smss+0x6443 @ 0x406443 smss+0x193cf @ 0x4193cf smss+0x67dc @ 0x4067dc BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8a 02 ff 4d 10 88 01 41 42 83 7d 10 00 75 f1 8b exception.symbol: smss+0x12bb exception.instruction: mov al, byte ptr [edx] exception.module: smss.exe exception.exception_code: 0xc0000005 exception.offset: 4795 exception.address: 0x4012bb registers.esp: 1636284 registers.edi: 1636476 registers.eax: 10626480 registers.ebp: 1636288 registers.edx: 0 registers.ebx: 1636536 registers.esi: 10626480 registers.ecx: 10626480	1	0	0

Time & API	Arguments	Status
NtAllocateVirtualMemory May 30, 2023, 5:11 p.m.	process_identifier: 1680 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02d30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 30, 2023, 5:11 p.m.	process_identifier: 1680 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02d40000 allocation_type: 12289 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 30, 2023, 5:11 p.m.	process_identifier: 2104 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 30, 2023, 5:12 p.m.	process_identifier: 1236 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000004ca0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1

file	C:\Users\test22\AppData\Local\Temp\nshC0BD.tmp\xilnixp.dll
file	C:\Users\test22\AppData\Roaming\gbrvmd\hxdtkof.exe

file	C:\Users\test22\AppData\Roaming\gbrvmd\hxdtkof.exe
file	C:\Users\test22\AppData\Local\Temp\nshC0BD.tmp\xilnixp.dll

reg_key

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\vaqulcgwnrimd

reg_value

C:\Users\test22\AppData\Roaming\gbrvmd\hxdtkof.exe "C:\Users\test22\AppData\Local\Temp\smss.exe"

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1680 called NtSetContextThread to modify thread in remote process 2104
NtSetContextThread May 30, 2023, 5:11 p.m.	registers.eip: 2005598660 registers.esp: 1638384 registers.edi: 0 registers.eax: 5629472 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000234 process_identifier: 2104	1	0	0

Bkav	W32.AIDetectMalware
MicroWorld-eScan	Gen:Variant.Nemesis.22782
ALYac	Gen:Variant.Ser.Tedy.4577
Malwarebytes	Malware.AI.186173318
VIPRE	Gen:Variant.Nemesis.22782
Cybereason	malicious.0025e6
Arcabit	Trojan.Nemesis.D58FE [many]
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win32/Injector.ESZH
Cynet	Malicious (score: 100)
APEX	Malicious
Kaspersky	HEUR:Trojan.Win32.Strab.gen
BitDefender	Gen:Variant.Nemesis.22782
Avast	Win32:PWSX-gen [Trj]
Sophos	Generic ML PUA (PUA)
McAfee-GW-Edition	BehavesLike.Win32.Generic.cc
Trapmine	malicious.moderate.ml.score
FireEye	Generic.mg.d9e03dba3c5cce14
Emsisoft	Gen:Variant.Nemesis.22782 (B)
Ikarus	Trojan.NSIS.Agent
Microsoft	Trojan:Win32/Sabsik.FL.B!ml
ZoneAlarm	HEUR:Trojan.Win32.Strab.gen
GData	Trojan.NSISX.Spy.Gen.24
Google	Detected
Acronis	suspicious
McAfee	Artemis!D9E03DBA3C5C
MAX	malware (ai score=84)
Rising	Trojan.Injector!8.C4 (TFE:5:o2fDO49gABG)
SentinelOne	Static AI - Suspicious PE
Fortinet	W32/Injector.ESZG!tr
BitDefenderTheta	Gen:NN.ZedlaF.36250.fq4@a8Z9thg
AVG	Win32:PWSX-gen [Trj]
DeepInstinct	MALICIOUS
CrowdStrike	win/malicious_confidence_100% (D)

smss.exe