popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

Msvsrlgkmzkynw.exe

Malicious Library UPX Anti_VM PE32 PE File MZP Format
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6403_us Oct. 2, 2023, 9:16 a.m. Oct. 2, 2023, 9:19 a.m.
Size 1.1MB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 24c8ce3fb8ef860ffbc2d6bb270e06f6
SHA256 8cde60f804a160f6fdaf788a4ba9a885cf178cebe4829eafbcd3fa1fb5a78185
CRC32 6FC60F4E
ssdeep 12288:qE8C9kdWdEPv8zuVEdh9a6OLqvabdpmBkt1VEmA00P85Be2fgmv1qsM8HcZG3g55:qEPudPPOuVsaoAjlD0P83H5M8OG3
Yara
  • Malicious_Library_Zero - Malicious_Library
  • UPX_Zero - UPX packed file
  • PE_Header_Zero - PE File Signature
  • IsPE32 - (no description)
  • anti_vm_detect - Possibly employs anti-virtualization techniques
  • mzp_file_format - MZP(Delphi) file format

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.103:49164 -> 13.107.42.13:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined

Suricata TLS

Flow Issuer Subject Fingerprint
TLSv1
192.168.56.103:49164
13.107.42.13:443 		C=US, O=Microsoft Corporation, CN=Microsoft Azure TLS Issuing CA 02 C=US, ST=WA, L=Redmond, O=Microsoft Corporation, CN=onedrive.com bd:3b:d4:db:04:fd:95:39:89:1f:63:31:3a:0a:96:89:24:7a:17:91

section CODE
section DATA
section BSS
packer BobSoft Mini Delphi -> BoB / BobSoft
Time & API Arguments Status Return Repeated

__exception__

 stacktrace: 
0x3007672
0x30076a5
0x30075c0
0x2ffe46c
0x30100f2
0x3018754
DriverCallback+0x4e waveOutOpen-0xa2e winmm+0x3af0 @ 0x74063af0
timeEndPeriod+0x54a timeKillEvent-0x57 winmm+0xa535 @ 0x7406a535
timeEndPeriod+0x449 timeKillEvent-0x158 winmm+0xa434 @ 0x7406a434
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0xeedfade
exception.offset: 46887
exception.address: 0x7559b727
registers.esp: 193913200
registers.edi: 1
registers.eax: 193913200
registers.ebp: 193913280
registers.edx: 0
registers.ebx: 193915004
registers.esi: 192787280
registers.ecx: 7
1 0 0
request GET http://cacerts.digicert.com/DigiCertGlobalRootG2.crt
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2408
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x01e60000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2408
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7409118b
process_handle: 0xffffffff
3221225477 0

NtProtectVirtualMemory

 process_identifier: 2408
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000
process_handle: 0xffffffff
3221225477 0

NtProtectVirtualMemory

 process_identifier: 2408
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000
process_handle: 0xffffffff
3221225477 0

NtProtectVirtualMemory

 process_identifier: 2408
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000
process_handle: 0xffffffff
3221225477 0

NtProtectVirtualMemory

 process_identifier: 2408
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000
process_handle: 0xffffffff
3221225477 0

NtProtectVirtualMemory

 process_identifier: 2408
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000
process_handle: 0xffffffff
3221225477 0

NtProtectVirtualMemory

 process_identifier: 2408
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x752169d5
process_handle: 0xffffffff
3221225477 0

NtProtectVirtualMemory

 process_identifier: 2408
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x75216426
process_handle: 0xffffffff
3221225477 0

NtProtectVirtualMemory

 process_identifier: 2408
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x75219c4f
process_handle: 0xffffffff
3221225477 0

NtProtectVirtualMemory

 process_identifier: 2408
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73f81195
process_handle: 0xffffffff
3221225477 0

NtProtectVirtualMemory

 process_identifier: 2408
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73f71177
process_handle: 0xffffffff
3221225477 0

NtProtectVirtualMemory

 process_identifier: 2408
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73f81159
process_handle: 0xffffffff
3221225477 0

NtProtectVirtualMemory

 process_identifier: 2408
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73f7647a
process_handle: 0xffffffff
3221225477 0

NtProtectVirtualMemory

 process_identifier: 2408
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73f55cb4
process_handle: 0xffffffff
3221225477 0

NtProtectVirtualMemory

 process_identifier: 2408
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73f7a712
process_handle: 0xffffffff
3221225477 0

NtProtectVirtualMemory

 process_identifier: 2408
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000
process_handle: 0xffffffff
3221225477 0

NtProtectVirtualMemory

 process_identifier: 2408
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000
process_handle: 0xffffffff
3221225477 0

NtProtectVirtualMemory

 process_identifier: 2408
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000
process_handle: 0xffffffff
3221225477 0

NtProtectVirtualMemory

 process_identifier: 2408
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000
process_handle: 0xffffffff
3221225477 0

NtProtectVirtualMemory

 process_identifier: 2408
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000
process_handle: 0xffffffff
3221225477 0

NtProtectVirtualMemory

 process_identifier: 2408
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000
process_handle: 0xffffffff
3221225477 0

NtProtectVirtualMemory

 process_identifier: 2408
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000
process_handle: 0xffffffff
3221225477 0

NtProtectVirtualMemory

 process_identifier: 2408
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000
process_handle: 0xffffffff
3221225477 0

NtProtectVirtualMemory

 process_identifier: 2408
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000
process_handle: 0xffffffff
3221225477 0

NtProtectVirtualMemory

 process_identifier: 2408
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000
process_handle: 0xffffffff
3221225477 0

NtProtectVirtualMemory

 process_identifier: 2408
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000
process_handle: 0xffffffff
3221225477 0

NtProtectVirtualMemory

 process_identifier: 2408
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000
process_handle: 0xffffffff
3221225477 0

NtProtectVirtualMemory

 process_identifier: 2408
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000
process_handle: 0xffffffff
3221225477 0

NtProtectVirtualMemory

 process_identifier: 2408
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000
process_handle: 0xffffffff
3221225477 0

NtProtectVirtualMemory

 process_identifier: 2408
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000
process_handle: 0xffffffff
3221225477 0

NtProtectVirtualMemory

 process_identifier: 2408
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000
process_handle: 0xffffffff
3221225477 0

NtProtectVirtualMemory

 process_identifier: 2408
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000
process_handle: 0xffffffff
3221225477 0

NtProtectVirtualMemory

 process_identifier: 2408
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000
process_handle: 0xffffffff
3221225477 0

NtProtectVirtualMemory

 process_identifier: 2408
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000
process_handle: 0xffffffff
3221225477 0

NtProtectVirtualMemory

 process_identifier: 2408
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000
process_handle: 0xffffffff
3221225477 0

NtProtectVirtualMemory

 process_identifier: 2408
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000
process_handle: 0xffffffff
3221225477 0

NtProtectVirtualMemory

 process_identifier: 2408
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000
process_handle: 0xffffffff
3221225477 0

NtProtectVirtualMemory

 process_identifier: 2408
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000
process_handle: 0xffffffff
3221225477 0

NtProtectVirtualMemory

 process_identifier: 2408
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000
process_handle: 0xffffffff
3221225477 0

NtProtectVirtualMemory

 process_identifier: 2408
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000
process_handle: 0xffffffff
3221225477 0

NtProtectVirtualMemory

 process_identifier: 2408
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000
process_handle: 0xffffffff
3221225477 0

NtProtectVirtualMemory

 process_identifier: 2408
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000
process_handle: 0xffffffff
3221225477 0

NtProtectVirtualMemory

 process_identifier: 2408
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000
process_handle: 0xffffffff
3221225477 0

NtProtectVirtualMemory

 process_identifier: 2408
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000
process_handle: 0xffffffff
3221225477 0

NtProtectVirtualMemory

 process_identifier: 2408
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000
process_handle: 0xffffffff
3221225477 0

NtProtectVirtualMemory

 process_identifier: 2408
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000
process_handle: 0xffffffff
3221225477 0

NtProtectVirtualMemory

 process_identifier: 2408
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000
process_handle: 0xffffffff
3221225477 0

NtProtectVirtualMemory

 process_identifier: 2408
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000
process_handle: 0xffffffff
3221225477 0

NtProtectVirtualMemory

 process_identifier: 2408
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000
process_handle: 0xffffffff
3221225477 0
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2408
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 163840
protection: 32 (PAGE_EXECUTE_READ)
base_address: 0x02ff1000
process_handle: 0xffffffff
1 0 0
Time & API Arguments Status Return Repeated

GetAdaptersAddresses

 flags: 15
family: 0
111 0
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 0
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000
process_handle: 0x00000000
3221225477 0
Time & API Arguments Status Return Repeated

RegSetValueExA

 key_handle: 0x000002bc
regkey_r: ProxyEnable
reg_type: 4 (REG_DWORD)
value: 0
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable
1 0 0
Process injection Process 2408 manipulating memory of non-child process 0
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 0
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000
process_handle: 0x00000000
3221225477 0
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA\Blob