Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	July 21, 2023, 12:59 p.m.	July 21, 2023, 1:06 p.m.

Size	4.2MB
Type	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5	`d335c0fd96458200acaeae1d1b4e136e`
SHA256	`aaebf0bf78046d2b05aaafd7687351d0fbf6231f522d7919f4c4a5880be5bd72`
CRC32	`F63AD73C`
ssdeep	`49152:4ptbaOdkNVTqUN6SONCXqlbPttWGm9yQat9TBAhkCiWfwVkmCiDPtrS:4psS3l5tWd9KMYVkIBS`
Yara	UPX_Zero - UPX packed file OS_Processor_Check_Zero - OS Processor Check mzp_file_format - MZP(Delphi) file format IsDLL - (no description) Admin_Tool_IN_Zero - Admin Tool Sysinternals Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description) Javascript_Blob - use blob(Binary Large Objec) javascript

rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\Lightshot.dll,DeinitLightshot
804
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\Lightshot.dll,MakeScreenshot
2220
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\Lightshot.dll,InitLightshot
2132
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\Lightshot.dll,MakeScreenshotByCommand
2316
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\Lightshot.dll,SetTranslations
2408
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\Lightshot.dll,TMethodImplementationIntercept
2512
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\Lightshot.dll,
2620
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\Lightshot.dll,dbk_fcall_wrapper
2720
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\Lightshot.dll,dbkFCallWrapperAddr
2812
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\Lightshot.dll,
2904

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (8 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent July 21, 2023, 12:59 p.m.			0	0
IsDebuggerPresent July 21, 2023, 12:59 p.m.			0	0
IsDebuggerPresent July 21, 2023, 12:59 p.m.			0	0
IsDebuggerPresent July 21, 2023, 12:59 p.m.			0	0
IsDebuggerPresent July 21, 2023, 12:59 p.m.			0	0
IsDebuggerPresent July 21, 2023, 12:59 p.m.			0	0
IsDebuggerPresent July 21, 2023, 12:59 p.m.			0	0
IsDebuggerPresent July 21, 2023, 12:59 p.m.			0	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (2 events)

section	.itext
section	.didata

One or more processes crashed (2 events)

Time & API	Arguments	Status	Return	Repeated
__exception__ July 21, 2023, 12:59 p.m.	stacktrace: TMethodImplementationIntercept+0x5a DeinitLightshot-0x26c0ae lightshot+0x6fa9e @ 0x1fbfa9e TMethodImplementationIntercept+0xe DeinitLightshot-0x26c0fa lightshot+0x6fa52 @ 0x1fbfa52 rundll32+0x137d @ 0x2c137d rundll32+0x1326 @ 0x2c1326 rundll32+0x1901 @ 0x2c1901 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 83 7a f8 00 7c 29 f0 ff 42 f8 53 8b 18 85 db 74 exception.instruction: cmp dword ptr [edx + 0xfffffff8], 0 exception.exception_code: 0xc0000005 exception.symbol: __dbk_fcall_wrapper-0x43ac lightshot+0xd78c exception.address: 0x1f5d78c registers.esp: 915972 registers.edi: 0 registers.eax: 916024 registers.ebp: 916028 registers.edx: 52 registers.ebx: 262144 registers.esi: 916024 registers.ecx: 33153740	1	0	0
__exception__ July 21, 2023, 12:59 p.m.	stacktrace: rundll32+0x1326 @ 0x2c1326 rundll32+0x1901 @ 0x2c1901 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 00 00 00 00 00 00 00 00 00 00 00 00 ff ff ff ff exception.instruction: add byte ptr [eax], al exception.exception_code: 0xc0000005 exception.symbol: SetTranslations+0x1eae4 lightshot+0x2fa640 exception.address: 0x227a640 registers.esp: 653268 registers.edi: 0 registers.eax: 328040 registers.ebp: 653384 registers.edx: 9 registers.ebx: 0 registers.esi: 328040 registers.ecx: 0	1	0	0

Allocates read-write-execute memory (usually to unpack itself) (50 out of 78 events)

Time & API	Arguments	Status
NtProtectVirtualMemory July 21, 2023, 12:59 p.m.	process_identifier: 804 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0227f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 21, 2023, 12:59 p.m.	process_identifier: 804 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75931000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 21, 2023, 12:59 p.m.	process_identifier: 804 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76e01000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 21, 2023, 12:59 p.m.	process_identifier: 804 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x752e1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 21, 2023, 12:59 p.m.	process_identifier: 804 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74491000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 21, 2023, 12:59 p.m.	process_identifier: 804 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74431000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 21, 2023, 12:59 p.m.	process_identifier: 804 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x743e1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 21, 2023, 12:59 p.m.	process_identifier: 804 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00320000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 21, 2023, 12:59 p.m.	process_identifier: 804 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74341000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 21, 2023, 12:59 p.m.	process_identifier: 804 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74321000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 21, 2023, 12:59 p.m.	process_identifier: 2132 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0219f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 21, 2023, 12:59 p.m.	process_identifier: 2132 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75931000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 21, 2023, 12:59 p.m.	process_identifier: 2132 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76e01000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 21, 2023, 12:59 p.m.	process_identifier: 2132 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x752e1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 21, 2023, 12:59 p.m.	process_identifier: 2132 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74491000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 21, 2023, 12:59 p.m.	process_identifier: 2132 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74431000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 21, 2023, 12:59 p.m.	process_identifier: 2132 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x743e1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 21, 2023, 12:59 p.m.	process_identifier: 2132 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 21, 2023, 12:59 p.m.	process_identifier: 2132 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x743c1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 21, 2023, 12:59 p.m.	process_identifier: 2132 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x743a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 21, 2023, 12:59 p.m.	process_identifier: 2220 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0232f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 21, 2023, 12:59 p.m.	process_identifier: 2220 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75931000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 21, 2023, 12:59 p.m.	process_identifier: 2220 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76e01000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 21, 2023, 12:59 p.m.	process_identifier: 2220 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x752e1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 21, 2023, 12:59 p.m.	process_identifier: 2220 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74491000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 21, 2023, 12:59 p.m.	process_identifier: 2220 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74431000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 21, 2023, 12:59 p.m.	process_identifier: 2220 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x743e1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 21, 2023, 12:59 p.m.	process_identifier: 2220 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00300000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 21, 2023, 12:59 p.m.	process_identifier: 2220 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74341000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 21, 2023, 12:59 p.m.	process_identifier: 2220 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74321000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 21, 2023, 12:59 p.m.	process_identifier: 2316 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0235f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 21, 2023, 12:59 p.m.	process_identifier: 2316 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75931000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 21, 2023, 12:59 p.m.	process_identifier: 2316 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76e01000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 21, 2023, 12:59 p.m.	process_identifier: 2316 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x752e1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 21, 2023, 12:59 p.m.	process_identifier: 2316 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74491000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 21, 2023, 12:59 p.m.	process_identifier: 2316 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74431000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 21, 2023, 12:59 p.m.	process_identifier: 2316 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x743e1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 21, 2023, 12:59 p.m.	process_identifier: 2316 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00300000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 21, 2023, 12:59 p.m.	process_identifier: 2316 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x743c1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 21, 2023, 12:59 p.m.	process_identifier: 2316 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x743a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 21, 2023, 12:59 p.m.	process_identifier: 2408 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c3f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 21, 2023, 12:59 p.m.	process_identifier: 2408 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75931000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 21, 2023, 12:59 p.m.	process_identifier: 2408 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76e01000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 21, 2023, 12:59 p.m.	process_identifier: 2408 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x752e1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 21, 2023, 12:59 p.m.	process_identifier: 2408 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74401000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 21, 2023, 12:59 p.m.	process_identifier: 2408 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x744c1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 21, 2023, 12:59 p.m.	process_identifier: 2408 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x743b1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 21, 2023, 12:59 p.m.	process_identifier: 2408 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 21, 2023, 12:59 p.m.	process_identifier: 2408 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x744a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 21, 2023, 12:59 p.m.	process_identifier: 2408 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74311000 process_handle: 0xffffffff	1

File has been identified by 13 AntiVirus engines on VirusTotal as malicious (13 events)

Bkav	W32.AIDetectMalware
FireEye	Generic.mg.d335c0fd96458200
Sangfor	Virus.Win32.Save.a
CrowdStrike	win/malicious_confidence_90% (D)
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win32/Spy.Grandoreiro.CB
APEX	Malicious
Kaspersky	HEUR:Trojan-Banker.Win32.Grandoreiro.gen
ZoneAlarm	HEUR:Trojan-Banker.Win32.Grandoreiro.gen
VBA32	suspected of Trojan.Downloader.gen
Rising	Spyware.Krachulka!8.10050 (TFE:6:XSjT43HhRJC)
Ikarus	Trojan-Spy.Grandoreiro

Lightshot.dll

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All