Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	June 20, 2023, 5:27 p.m.	June 20, 2023, 5:38 p.m.

Size	268.6KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5	`2f570584d844c86b86f47a5492d2aed6`
SHA256	`ec5be7c50c187de9346e381fe229eb22a3383dfd70bbac3568051af0ee25016c`
CRC32	`F5D75025`
ssdeep	`6144:19X0GEOduy2F7By+wWH1ZK+o7mBgpzwTtQ8LMAP0yiBrpja:r0dOIy2ry+wWVZK10TtQ87ViBVja`
Yara	UPX_Zero - UPX packed file Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description)

lsass.exe "C:\Users\test22\AppData\Local\Temp\lsass.exe"
1072

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx June 20, 2023, 5:27 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.ndata

Allocates read-write-execute memory (usually to unpack itself) (2 events)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory June 20, 2023, 5:27 p.m.	process_identifier: 1072 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x741c4000 process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory June 20, 2023, 5:27 p.m.	process_identifier: 1072 region_size: 20258816 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02820000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0	0

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\nsbC0AC.tmp\System.dll

Creates hidden or system file (6 events)

Time & API	Arguments	Status	Return	Repeated
SetFileAttributesW June 20, 2023, 5:27 p.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: C:\Windows\resources\0409\Skrivepulten\Laxity\Scoringernes\Bettas.Alp filepath: C:\Windows\resources\0409\Skrivepulten\Laxity\Scoringernes\Bettas.Alp		0	0
SetFileAttributesW June 20, 2023, 5:27 p.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: C:\Windows\resources\0409\Skrivepulten\Laxity\Scoringernes\Bettas.Alp filepath: C:\Windows\resources\0409\Skrivepulten\Laxity\Scoringernes\Bettas.Alp		0	0
SetFileAttributesW June 20, 2023, 5:27 p.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: C:\Windows\resources\0409\Skrivepulten\Laxity\Scoringernes\Bettas.Alp filepath: C:\Windows\resources\0409\Skrivepulten\Laxity\Scoringernes\Bettas.Alp		0	0
SetFileAttributesW June 20, 2023, 5:27 p.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: C:\Windows\resources\0409\Skrivepulten\Laxity\Scoringernes\Bettas.Alp filepath: C:\Windows\resources\0409\Skrivepulten\Laxity\Scoringernes\Bettas.Alp		0	0
SetFileAttributesW June 20, 2023, 5:27 p.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: C:\Windows\resources\0409\Skrivepulten\Laxity\Scoringernes\Bettas.Alp filepath: C:\Windows\resources\0409\Skrivepulten\Laxity\Scoringernes\Bettas.Alp		0	0
SetFileAttributesW June 20, 2023, 5:27 p.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: C:\Windows\resources\0409\Skrivepulten\Laxity\Scoringernes\Bettas.Alp filepath: C:\Windows\resources\0409\Skrivepulten\Laxity\Scoringernes\Bettas.Alp		0	0

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\nsbC0AC.tmp\System.dll

File has been identified by 50 AntiVirus engines on VirusTotal as malicious (50 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Androm.ts6W
MicroWorld-eScan	Trojan.Generic.33938032
CAT-QuickHeal	Trojandownloader.Minix
McAfee	RDN/Generic.dx
Malwarebytes	Trojan.GuLoader
Sangfor	Downloader.Win32.Injector.Vzub
K7AntiVirus	Trojan ( 005a6f571 )
Alibaba	TrojanDownloader:Win32/Minix.62a1166e
K7GW	Trojan ( 005a6f571 )
Arcabit	Trojan.Generic.D205DA70
VirIT	Trojan.Win32.NSISDrp.XP
Cyren	W32/ABRisk.TVIH-7272
Symantec	Trojan.Gen.2
Elastic	malicious (high confidence)
ESET-NOD32	NSIS/Injector.BXG
APEX	Malicious
Kaspersky	HEUR:Trojan-Downloader.Win32.Minix.gen
BitDefender	Trojan.Generic.33938032
Avast	NSIS:InjectorX-gen [Trj]
Tencent	Win32.Trojan.FalseSign.Dwnw
Emsisoft	Trojan.Generic.33938032 (B)
F-Secure	Trojan.TR/Injector.yfsqs
VIPRE	Trojan.Generic.33938032
TrendMicro	Trojan.Win32.GULOADER.YXDFMZ
McAfee-GW-Edition	RDN/Generic.dx
FireEye	Trojan.Generic.33938032
Sophos	Mal/Generic-S
Webroot	W32.Trojan.Gen
Google	Detected
Avira	TR/Injector.yfsqs
MAX	malware (ai score=85)
Antiy-AVL	Trojan/NSIS.Injector
Gridinsoft	Trojan.Win32.GuLoader.bot
Xcitium	Malware@#1kf42shrcmy2l
Microsoft	Trojan:Win32/Wacatac.A!ml
ZoneAlarm	HEUR:Trojan-Downloader.Win32.Minix.gen
GData	Trojan.Generic.33938032
Cynet	Malicious (score: 99)
AhnLab-V3	Downloader/Win.GuLoader.C5440855
VBA32	TrojanDownloader.Minix
ALYac	Trojan.Generic.33938032
Cylance	unsafe
Panda	Trj/Chgt.AD
TrendMicro-HouseCall	Trojan.Win32.GULOADER.YXDFMZ
Ikarus	Trojan.NSIS.Agent
Fortinet	Malicious_Behavior.SB
AVG	NSIS:InjectorX-gen [Trj]
DeepInstinct	MALICIOUS
CrowdStrike	win/malicious_confidence_100% (W)

lsass.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All