Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	May 31, 2023, 9:11 a.m.	May 31, 2023, 9:13 a.m.

Size	165.2KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5	`c044a0d5c30ed978cc2fdde590e037ec`
SHA256	`d655fd02676508febdb0226c8352168a0ae16bc0e607420650e749f1f7cfdbe3`
CRC32	`97FE28F5`
ssdeep	`3072:HfY/TU9fE9PEtuZb5Q0HPPpzpvMhrtBQ+N/db5D44o/wAoeQWOBRqzTPLBs+LJo8:/Ya6v5hraHQ+N/R5DkwAocOGtvUfK`
Yara	UPX_Zero - UPX packed file Malicious_Library_Zero - Malicious_Library NSIS_Installer - Null Soft Installer PE_Header_Zero - PE File Signature IsPE32 - (no description)

smss.exe "C:\Users\test22\AppData\Local\Temp\smss.exe"
1984
- smss.exe "C:\Users\test22\AppData\Local\Temp\smss.exe"
  2052
explorer.exe C:\Windows\Explorer.EXE
1236

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

No Suricata Alerts

No Suricata TLS

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx May 31, 2023, 9:11 a.m.		1	1	0

section

.ndata

Time & API	Arguments	Status	Return	Repeated
__exception__ May 31, 2023, 9:11 a.m.	stacktrace: smss+0x33ff @ 0x4033ff smss+0x6443 @ 0x406443 smss+0x193cf @ 0x4193cf smss+0x67dc @ 0x4067dc BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8a 02 ff 4d 10 88 01 41 42 83 7d 10 00 75 f1 8b exception.symbol: smss+0x12bb exception.instruction: mov al, byte ptr [edx] exception.module: smss.exe exception.exception_code: 0xc0000005 exception.offset: 4795 exception.address: 0x4012bb registers.esp: 1636284 registers.edi: 1636476 registers.eax: 7153072 registers.ebp: 1636288 registers.edx: 0 registers.ebx: 1636536 registers.esi: 7153072 registers.ecx: 7153072	1	0	0

Time & API	Arguments	Status
NtAllocateVirtualMemory May 31, 2023, 9:11 a.m.	process_identifier: 1984 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02d30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2023, 9:11 a.m.	process_identifier: 1984 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02d40000 allocation_type: 12289 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 31, 2023, 9:11 a.m.	process_identifier: 2052 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2023, 9:11 a.m.	process_identifier: 1236 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000004b80000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1

file	C:\Users\test22\AppData\Local\Temp\nseC11A.tmp\peusuprto.dll
file	C:\Users\test22\AppData\Roaming\aqhl\dtxos.exe

file	C:\Users\test22\AppData\Roaming\aqhl\dtxos.exe
file	C:\Users\test22\AppData\Local\Temp\nseC11A.tmp\peusuprto.dll

reg_key

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\jaeulpgk

reg_value

C:\Users\test22\AppData\Roaming\aqhl\dtxos.exe "C:\Users\test22\AppData\Local\Temp\smss.exe"

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1984 called NtSetContextThread to modify thread in remote process 2052
NtSetContextThread May 31, 2023, 9:11 a.m.	registers.eip: 2005598660 registers.esp: 1638384 registers.edi: 0 registers.eax: 5629472 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000214 process_identifier: 2052	1	0	0

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Agent.tshg
MicroWorld-eScan	Gen:Variant.Nemesis.22782
McAfee	Artemis!C044A0D5C30E
Malwarebytes	Generic.Malware/Suspicious
Sangfor	Trojan.Win32.Agent.Vges
Cybereason	malicious.887661
Arcabit	Trojan.Nemesis.D58FE [many]
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
Cynet	Malicious (score: 100)
APEX	Malicious
Kaspersky	UDS:Trojan.Win32.Strab.gen
BitDefender	Gen:Variant.Nemesis.22782
Avast	Win32:TrojanX-gen [Trj]
Emsisoft	Gen:Variant.Nemesis.22782 (B)
F-Secure	Trojan.TR/AD.GenShell.bczip
VIPRE	Gen:Variant.Nemesis.22782
McAfee-GW-Edition	BehavesLike.Win32.Generic.cc
Trapmine	malicious.moderate.ml.score
FireEye	Generic.mg.c044a0d5c30ed978
Sophos	Mal/Generic-S
Ikarus	Trojan.NSIS.Agent
Webroot	W32.Malware.Gen
Avira	TR/AD.GenShell.bczip
Gridinsoft	Trojan.Win32.WarzoneRAT.bot
Microsoft	Trojan:Win32/Casdet!rfn
ZoneAlarm	UDS:Trojan.Win32.Strab.gen
GData	Trojan.NSISX.Spy.Gen.24 (2x)
Google	Detected
AhnLab-V3	Malware/Win.Generic.C4960456
ALYac	Gen:Variant.Ser.Tedy.4577
MAX	malware (ai score=88)
Cylance	unsafe
Panda	Trj/Chgt.AD
Rising	Trojan.Generic@AI.94 (RDML:QpmYsljAYUKrhFYIBdRJVQ)
SentinelOne	Static AI - Suspicious PE
Fortinet	W32/Injector.ESZJ!tr
BitDefenderTheta	Gen:NN.ZedlaF.36250.eq4@aiobzze
AVG	Win32:TrojanX-gen [Trj]
DeepInstinct	MALICIOUS
CrowdStrike	win/malicious_confidence_100% (W)

smss.exe