Summary | ZeroBOX

Revolution_Makerspace_Certificate_Installer.exe

UPX Malicious Library PE File DLL PE32 BMP Format
Category Machine Started Completed
FILE s1_win7_x6401 Aug. 9, 2023, 9:06 a.m. Aug. 9, 2023, 9:11 a.m.
Size 570.3KB
Type PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, Nullsoft Installer self-extracting archive
MD5 faeb62b6240705a8af7152198449e64a
SHA256 039f3a8d173f835d3e71cfc8433ead08f9975f8b6d9afd7d28bb76d54f7f38bf
CRC32 D6214A3C
ssdeep 12288:4cp8NYTcQBQnHW52sOMbrG90Jjj5b47Jk62:4g8qQQBQHxshnT
Yara
  • UPX_Zero - UPX packed file
  • Malicious_Library_Zero - Malicious_Library
  • PE_Header_Zero - PE File Signature
  • IsPE32 - (no description)

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

1 1 0
section .ndata
Time & API Arguments Status Return Repeated

__exception__

stacktrace:
CtfImeIsIME+0x36fd DllUnregisterServer-0xf9d9 msctf+0x2d08c @ 0x75aad08c
TF_GetGlobalCompartment+0x3dfd CtfImeIsIME-0x344 msctf+0x2964b @ 0x75aa964b
TF_GetInputScope+0xf65 CtfImeDestroyThreadMgr-0x25ae msctf+0x14d6b @ 0x75a94d6b
TF_GetInputScope+0x3176 CtfImeDestroyThreadMgr-0x39d msctf+0x16f7c @ 0x75a96f7c
CtfImeDestroyInputContext+0x280 TF_CanUninitialize-0x1c msctf+0x1e825 @ 0x75a9e825
TF_GetInputScope+0x21fc CtfImeDestroyThreadMgr-0x1317 msctf+0x16002 @ 0x75a96002
TF_GetInputScope+0x21e2 CtfImeDestroyThreadMgr-0x1331 msctf+0x15fe8 @ 0x75a95fe8
TF_GetInputScope+0xbdd CtfImeDestroyThreadMgr-0x2936 msctf+0x149e3 @ 0x75a949e3
TF_GetInputScope+0x1c1a CtfImeDestroyThreadMgr-0x18f9 msctf+0x15a20 @ 0x75a95a20
RtlIsCurrentThreadAttachExempt+0x5f TpCheckTerminateWorker-0x37 ntdll+0x39a91 @ 0x76f49a91
LdrShutdownProcess+0x97 RtlDetectHeapLeaks-0x1bb ntdll+0x58f10 @ 0x76f68f10
RtlExitUserProcess+0x74 LdrShutdownProcess-0x1d ntdll+0x58e5c @ 0x76f68e5c
ExitProcess+0x15 TerminateThread-0xa kernel32+0x17a25 @ 0x755c7a25
revolution_makerspace_certificate_installer+0x462a @ 0x40462a
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

exception.instruction_r: ff 51 0c 8b 45 fc 89 be 8c 04 00 00 3b c7 74 25
exception.symbol: TF_GetCompatibleKeyboardLayout+0x5885 TF_IsCtfmonRunning-0xfd3 msctf+0x43ef4
exception.instruction: call dword ptr [ecx + 0xc]
exception.module: MSCTF.dll
exception.exception_code: 0xc0000005
exception.offset: 278260
exception.address: 0x75ac3ef4
registers.esp: 2685776
registers.edi: 0
registers.eax: 61770384
registers.ebp: 2685804
registers.edx: 1
registers.ebx: 0
registers.esi: 11048760
registers.ecx: 1926182364
1 0 0
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

process_identifier: 2568
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6e5c7000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2568
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x733c2000
process_handle: 0xffffffff
1 0 0
file C:\Users\test22\AppData\Local\Temp\nsiF3C7.tmp\GetVersion.dll
file C:\Users\test22\AppData\Local\Temp\nsiF3C7.tmp\NSISArray.dll
file C:\Users\test22\AppData\Local\Temp\wlan_test.exe
file C:\Users\test22\AppData\Local\Temp\nsiF3C7.tmp\LangDLL.dll
file C:\Users\test22\AppData\Local\Temp\nsiF3C7.tmp\System.dll
file C:\Users\test22\AppData\Local\Temp\wlan_test.exe
file C:\Users\test22\AppData\Local\Temp\nsiF3C7.tmp\GetVersion.dll
file C:\Users\test22\AppData\Local\Temp\nsiF3C7.tmp\NSISArray.dll
file C:\Users\test22\AppData\Local\Temp\nsiF3C7.tmp\LangDLL.dll
file C:\Users\test22\AppData\Local\Temp\nsiF3C7.tmp\System.dll
Bkav W32.AIDetectMalware
FireEye Generic.mg.faeb62b6240705a8
APEX Malicious
Trapmine malicious.moderate.ml.score
Antiy-AVL GrayWare/Win32.ZenVPN
VBA32 Trojan.Autoit.F
CrowdStrike win/grayware_confidence_100% (D)
section {u'size_of_data': u'0x00005a00', u'virtual_address': u'0x0000b000', u'entropy': 7.15566772409574, u'name': u'.rdata', u'virtual_size': u'0x00005920'} entropy 7.1556677241 description A section with a high entropy has been found
entropy 0.236842105263 description Overall entropy of this PE file is high