Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Sept. 21, 2023, 9:16 a.m.	Sept. 21, 2023, 9:18 a.m.

Size	604.5KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5	`710be6c7edbd56231c80ea627e7614c9`
SHA256	`0eb1c727cb604fcaf30556be5783afb142e223d5fe037af252f98cbe1d0a2803`
CRC32	`ED92E8CE`
ssdeep	`6144:mYa6OipsvVVAkIhUqsVZjxNNp+Epb/HpS4YSamRW1OeUgSxXbI5:mYxZkIlEx1bpjHA4YYRKOeA1bE`
Yara	Malicious_Library_Zero - Malicious_Library UPX_Zero - UPX packed file PE_Header_Zero - PE File Signature NSIS_Installer - Null Soft Installer IsPE32 - (no description)

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

No Suricata Alerts

No Suricata TLS

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Sept. 21, 2023, 9:16 a.m.		1	1	0

section

.ndata

Time & API	Arguments	Status	Return	Repeated
__exception__ Sept. 21, 2023, 9:16 a.m.	stacktrace: RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0xffd65738 registers.esp: 4651476 registers.edi: 0 registers.eax: 1968976824 registers.ebp: 4651484 registers.edx: 4292237112 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0	1	0	0

Time & API	Arguments	Status
NtProtectVirtualMemory Sept. 21, 2023, 9:16 a.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x732a2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 21, 2023, 9:16 a.m.	process_identifier: 2656 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00200000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 21, 2023, 9:16 a.m.	process_identifier: 2656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00210000 allocation_type: 12289 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1

file	C:\Users\test22\AppData\Local\Temp\spfywgegy.exe
file	C:\Users\test22\AppData\Roaming\uajsoxhdmirbv\foktpy.exe

file	C:\Users\test22\AppData\Local\Temp\spfywgegy.exe

file	C:\Users\test22\AppData\Local\Temp\spfywgegy.exe

reg_key

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\ienwscx

reg_value

C:\Users\test22\AppData\Roaming\uajsoxhdmirbv\foktpy.exe "C:\Users\test22\AppData\Local\Temp\spfywgegy.exe"

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2656 called NtSetContextThread to modify thread in remote process 2712
NtSetContextThread Sept. 21, 2023, 9:16 a.m.	registers.eip: 1995571652 registers.esp: 4651576 registers.edi: 0 registers.eax: 743224 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000000d0 process_identifier: 2712	1	0	0

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Generic.4!c
MicroWorld-eScan	Trojan.NSISX.Spy.Gen.24
ALYac	Gen:Variant.Fragtor.365975
Malwarebytes	Generic.Malware/Suspicious
Sangfor	Spyware.Win32.Injector.V8vm
CrowdStrike	win/malicious_confidence_100% (W)
Arcabit	Trojan.NSISX.Spy.Gen.24 [many]
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win32/Injector.ETHQ
Cynet	Malicious (score: 100)
APEX	Malicious
Kaspersky	UDS:DangerousObject.Multi.Generic
BitDefender	Trojan.NSISX.Spy.Gen.24
NANO-Antivirus	Riskware.Nsis.Adw.dpxyts
Avast	Win32:PWSX-gen [Trj]
Emsisoft	Trojan.NSISX.Spy.Gen.24 (B)
VIPRE	Trojan.NSISX.Spy.Gen.24
TrendMicro	TROJ_GEN.R002C0DIK23
McAfee-GW-Edition	BehavesLike.Win32.Downloader.jh
FireEye	Generic.mg.710be6c7edbd5623
Sophos	Generic Reputation PUA (PUA)
Ikarus	Trojan.Win32.Injector
Gridinsoft	Ransom.Win32.Sabsik.sa
Microsoft	Trojan:Win32/Sabsik.FL.B!ml
ZoneAlarm	UDS:DangerousObject.Multi.Generic
GData	Trojan.NSISX.Spy.Gen.24
Google	Detected
AhnLab-V3	Malware/Win.Generic.C4635477
McAfee	Artemis!710BE6C7EDBD
MAX	malware (ai score=82)
VBA32	BScope.Trojan.Injector
Cylance	unsafe
Panda	Trj/Chgt.AD
TrendMicro-HouseCall	TROJ_GEN.R002H0DIK23
Rising	Trojan.Convagent!8.12323 (TFE:5:9ta4BuSvkcG)
Fortinet	NSIS/Injector.ETGJ!tr
BitDefenderTheta	Gen:NN.ZexaF.36722.muW@aCPfNXni
AVG	Win32:PWSX-gen [Trj]
DeepInstinct	MALICIOUS

ienwscx.exe