Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Oct. 16, 2023, 10:55 a.m.	Oct. 16, 2023, 10:58 a.m.

Size	38.0KB
Type	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, UPX compressed
MD5	`9727340e36156ec7295b019317a9c5d5`
SHA256	`eb4efba721c9a2675bb96813f0fa684d0d4dad793639b4497d840f41ba47be9f`
CRC32	`132E1305`
ssdeep	`768:IVXR5Z7y0+RWQZaUHurZSW81O5c9StzD1Rn2oJB4OtwGgMmhfuAR4/60yw:IRvZ7uRW0HuFSnEcotzSoJGPhnRNh`
Yara	PE_Header_Zero - PE File Signature IsDLL - (no description) IsPE32 - (no description)

rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\rc2.jpg.dll,Handler
2556
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\rc2.jpg.dll,RCW
2640
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\rc2.jpg.dll,
2732

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

One or more processes crashed (3 events)

Time & API	Arguments	Status
__exception__ Oct. 16, 2023, 10:55 a.m.	stacktrace: LdrResFindResourceDirectory+0x606 RtlEncodeSystemPointer-0x3d ntdll+0x3e01b @ 0x76f4e01b LdrLoadDll+0x2f5 _strcmpi-0x8a ntdll+0x3c72f @ 0x76f4c72f RtlRunOnceComplete+0x3a4 LdrLoadDll-0xb1 ntdll+0x3c389 @ 0x76f4c389 RtlFlsAlloc+0x993 EtwNotificationRegister-0x13c ntdll+0x3f3f6 @ 0x76f4f3f6 RtlEncodeSystemPointer+0x33d RtlFindClearBits-0x454 ntdll+0x3e395 @ 0x76f4e395 RtlSetBits+0x115 RtlFlsAlloc-0x5e ntdll+0x3ea05 @ 0x76f4ea05 RtlSetBits+0x162 RtlFlsAlloc-0x11 ntdll+0x3ea52 @ 0x76f4ea52 RtlSetBits+0x5d RtlFlsAlloc-0x116 ntdll+0x3e94d @ 0x76f4e94d LdrResSearchResource+0x943 LdrResFindResourceDirectory-0x376 ntdll+0x3d69f @ 0x76f4d69f LdrLoadDll+0x7b _strcmpi-0x304 ntdll+0x3c4b5 @ 0x76f4c4b5 New_ntdll_LdrLoadDll@16+0x7b New_ntdll_LdrUnloadDll@4-0xb7 @ 0x736ed4cf LoadLibraryExW+0x178 LoadLibraryExA-0x2a kernelbase+0x11d2a @ 0x75981d2a rundll32+0x14ed @ 0xda14ed rundll32+0x1baf @ 0xda1baf rundll32+0x12e8 @ 0xda12e8 rundll32+0x1901 @ 0xda1901 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 83 38 48 0f 82 39 ff 01 00 8b 48 40 85 c9 0f 84 exception.symbol: LdrResFindResourceDirectory+0x9f RtlEncodeSystemPointer-0x5a4 ntdll+0x3dab4 exception.instruction: cmp dword ptr [eax], 0x48 exception.module: ntdll.dll exception.exception_code: 0xc0000006 exception.offset: 252596 exception.address: 0x76f4dab4 registers.esp: 2944912 registers.edi: 1 registers.eax: 268468152 registers.ebp: 2944916 registers.edx: 268468152 registers.ebx: 268435456 registers.esi: 1996562944 registers.ecx: 64	1
__exception__ Oct. 16, 2023, 10:55 a.m.	stacktrace: LdrResFindResourceDirectory+0x606 RtlEncodeSystemPointer-0x3d ntdll+0x3e01b @ 0x76f4e01b LdrLoadDll+0x2f5 _strcmpi-0x8a ntdll+0x3c72f @ 0x76f4c72f RtlRunOnceComplete+0x3a4 LdrLoadDll-0xb1 ntdll+0x3c389 @ 0x76f4c389 RtlFlsAlloc+0x993 EtwNotificationRegister-0x13c ntdll+0x3f3f6 @ 0x76f4f3f6 RtlEncodeSystemPointer+0x33d RtlFindClearBits-0x454 ntdll+0x3e395 @ 0x76f4e395 RtlSetBits+0x115 RtlFlsAlloc-0x5e ntdll+0x3ea05 @ 0x76f4ea05 RtlSetBits+0x162 RtlFlsAlloc-0x11 ntdll+0x3ea52 @ 0x76f4ea52 RtlSetBits+0x5d RtlFlsAlloc-0x116 ntdll+0x3e94d @ 0x76f4e94d LdrResSearchResource+0x943 LdrResFindResourceDirectory-0x376 ntdll+0x3d69f @ 0x76f4d69f LdrLoadDll+0x7b _strcmpi-0x304 ntdll+0x3c4b5 @ 0x76f4c4b5 New_ntdll_LdrLoadDll@16+0x7b New_ntdll_LdrUnloadDll@4-0xb7 @ 0x736ed4cf LoadLibraryExW+0x178 LoadLibraryExA-0x2a kernelbase+0x11d2a @ 0x75981d2a rundll32+0x14ed @ 0xda14ed rundll32+0x1baf @ 0xda1baf rundll32+0x12e8 @ 0xda12e8 rundll32+0x1901 @ 0xda1901 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 83 38 48 0f 82 39 ff 01 00 8b 48 40 85 c9 0f 84 exception.symbol: LdrResFindResourceDirectory+0x9f RtlEncodeSystemPointer-0x5a4 ntdll+0x3dab4 exception.instruction: cmp dword ptr [eax], 0x48 exception.module: ntdll.dll exception.exception_code: 0xc0000006 exception.offset: 252596 exception.address: 0x76f4dab4 registers.esp: 3076864 registers.edi: 1 registers.eax: 268468152 registers.ebp: 3076868 registers.edx: 268468152 registers.ebx: 268435456 registers.esi: 1996562944 registers.ecx: 64	1
__exception__ Oct. 16, 2023, 10:55 a.m.	stacktrace: cs_strdup+0x670 decodeInstruction-0x969 @ 0x737064da decodeInstruction+0x6d SHA1Reset-0xe54 @ 0x73706eb0 X86_getInstruction+0x104 printSrcIdx8-0x2874 @ 0x73701495 cs_disasm_ex+0x168 cs_free-0x55d @ 0x73700571 disasm+0x68 hook_create_stub-0x8e @ 0x736d4028 log_exception+0x2bd log_action-0x360 @ 0x736d355f New_ntdll_RtlDispatchException@8+0xd7 New_ntdll_RtlRemoveVectoredContinueHandler@4-0x42 @ 0x736f480c KiUserExceptionDispatcher+0xf KiRaiseUserExceptionDispatcher-0x41 ntdll+0x10143 @ 0x76f20143 NotifyShims+0x96e1 aclayers+0x545c3 @ 0x741e45c3 NotifyShims+0x979d aclayers+0x5467f @ 0x741e467f GetHookAPIs-0x46550 aclayers+0x3ef9 @ 0x74193ef9 RtlQueryEnvironmentVariable+0x241 RtlQueryEnvironmentVariable_U-0x23 ntdll+0x39930 @ 0x76f49930 LdrShutdownProcess+0x141 RtlDetectHeapLeaks-0x111 ntdll+0x58fba @ 0x76f68fba RtlExitUserProcess+0x74 LdrShutdownProcess-0x1d ntdll+0x58e5c @ 0x76f68e5c ExitProcess+0x15 TerminateThread-0xa kernel32+0x17a25 @ 0x755c7a25 rundll32+0x135c @ 0xda135c rundll32+0x1901 @ 0xda1901 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8a 14 02 8b 45 0c 88 10 31 c0 eb 03 83 c8 ff 83 exception.symbol: MCOperand_CreateImm0+0x6e X86_getInstruction-0x52 exception.instruction: mov dl, byte ptr [edx + eax] exception.module: monitor-x86.dll exception.exception_code: 0xc0000006 exception.offset: 201535 exception.address: 0x7370133f registers.esp: 1956168 registers.edi: 0 registers.eax: 0 registers.ebp: 1956192 registers.edx: 1948191085 registers.ebx: 0 registers.esi: 1948191085 registers.ecx: 0	1

Time & API

Arguments

Status

Return

Repeated

__exception__

Oct. 16, 2023, 10:55 a.m.

stacktrace:

LdrResFindResourceDirectory+0x606 RtlEncodeSystemPointer-0x3d ntdll+0x3e01b @ 0x76f4e01b
LdrLoadDll+0x2f5 _strcmpi-0x8a ntdll+0x3c72f @ 0x76f4c72f
RtlRunOnceComplete+0x3a4 LdrLoadDll-0xb1 ntdll+0x3c389 @ 0x76f4c389
RtlFlsAlloc+0x993 EtwNotificationRegister-0x13c ntdll+0x3f3f6 @ 0x76f4f3f6
RtlEncodeSystemPointer+0x33d RtlFindClearBits-0x454 ntdll+0x3e395 @ 0x76f4e395
RtlSetBits+0x115 RtlFlsAlloc-0x5e ntdll+0x3ea05 @ 0x76f4ea05
RtlSetBits+0x162 RtlFlsAlloc-0x11 ntdll+0x3ea52 @ 0x76f4ea52
RtlSetBits+0x5d RtlFlsAlloc-0x116 ntdll+0x3e94d @ 0x76f4e94d
LdrResSearchResource+0x943 LdrResFindResourceDirectory-0x376 ntdll+0x3d69f @ 0x76f4d69f
LdrLoadDll+0x7b _strcmpi-0x304 ntdll+0x3c4b5 @ 0x76f4c4b5
New_ntdll_LdrLoadDll@16+0x7b New_ntdll_LdrUnloadDll@4-0xb7 @ 0x736ed4cf
LoadLibraryExW+0x178 LoadLibraryExA-0x2a kernelbase+0x11d2a @ 0x75981d2a
rundll32+0x14ed @ 0xda14ed
rundll32+0x1baf @ 0xda1baf
rundll32+0x12e8 @ 0xda12e8
rundll32+0x1901 @ 0xda1901
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

exception.instruction_r: 83 38 48 0f 82 39 ff 01 00 8b 48 40 85 c9 0f 84
exception.symbol: LdrResFindResourceDirectory+0x9f RtlEncodeSystemPointer-0x5a4 ntdll+0x3dab4
exception.instruction: cmp dword ptr [eax], 0x48
exception.module: ntdll.dll
exception.exception_code: 0xc0000006
exception.offset: 252596
exception.address: 0x76f4dab4
registers.esp: 2944912
registers.edi: 1
registers.eax: 268468152
registers.ebp: 2944916
registers.edx: 268468152
registers.ebx: 268435456
registers.esi: 1996562944
registers.ecx: 64

__exception__

Oct. 16, 2023, 10:55 a.m.

stacktrace:

LdrResFindResourceDirectory+0x606 RtlEncodeSystemPointer-0x3d ntdll+0x3e01b @ 0x76f4e01b
LdrLoadDll+0x2f5 _strcmpi-0x8a ntdll+0x3c72f @ 0x76f4c72f
RtlRunOnceComplete+0x3a4 LdrLoadDll-0xb1 ntdll+0x3c389 @ 0x76f4c389
RtlFlsAlloc+0x993 EtwNotificationRegister-0x13c ntdll+0x3f3f6 @ 0x76f4f3f6
RtlEncodeSystemPointer+0x33d RtlFindClearBits-0x454 ntdll+0x3e395 @ 0x76f4e395
RtlSetBits+0x115 RtlFlsAlloc-0x5e ntdll+0x3ea05 @ 0x76f4ea05
RtlSetBits+0x162 RtlFlsAlloc-0x11 ntdll+0x3ea52 @ 0x76f4ea52
RtlSetBits+0x5d RtlFlsAlloc-0x116 ntdll+0x3e94d @ 0x76f4e94d
LdrResSearchResource+0x943 LdrResFindResourceDirectory-0x376 ntdll+0x3d69f @ 0x76f4d69f
LdrLoadDll+0x7b _strcmpi-0x304 ntdll+0x3c4b5 @ 0x76f4c4b5
New_ntdll_LdrLoadDll@16+0x7b New_ntdll_LdrUnloadDll@4-0xb7 @ 0x736ed4cf
LoadLibraryExW+0x178 LoadLibraryExA-0x2a kernelbase+0x11d2a @ 0x75981d2a
rundll32+0x14ed @ 0xda14ed
rundll32+0x1baf @ 0xda1baf
rundll32+0x12e8 @ 0xda12e8
rundll32+0x1901 @ 0xda1901
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

exception.instruction_r: 83 38 48 0f 82 39 ff 01 00 8b 48 40 85 c9 0f 84
exception.symbol: LdrResFindResourceDirectory+0x9f RtlEncodeSystemPointer-0x5a4 ntdll+0x3dab4
exception.instruction: cmp dword ptr [eax], 0x48
exception.module: ntdll.dll
exception.exception_code: 0xc0000006
exception.offset: 252596
exception.address: 0x76f4dab4
registers.esp: 3076864
registers.edi: 1
registers.eax: 268468152
registers.ebp: 3076868
registers.edx: 268468152
registers.ebx: 268435456
registers.esi: 1996562944
registers.ecx: 64

__exception__

Oct. 16, 2023, 10:55 a.m.

stacktrace:

cs_strdup+0x670 decodeInstruction-0x969 @ 0x737064da
decodeInstruction+0x6d SHA1Reset-0xe54 @ 0x73706eb0
X86_getInstruction+0x104 printSrcIdx8-0x2874 @ 0x73701495
cs_disasm_ex+0x168 cs_free-0x55d @ 0x73700571
disasm+0x68 hook_create_stub-0x8e @ 0x736d4028
log_exception+0x2bd log_action-0x360 @ 0x736d355f
New_ntdll_RtlDispatchException@8+0xd7 New_ntdll_RtlRemoveVectoredContinueHandler@4-0x42 @ 0x736f480c
KiUserExceptionDispatcher+0xf KiRaiseUserExceptionDispatcher-0x41 ntdll+0x10143 @ 0x76f20143
NotifyShims+0x96e1 aclayers+0x545c3 @ 0x741e45c3
NotifyShims+0x979d aclayers+0x5467f @ 0x741e467f
GetHookAPIs-0x46550 aclayers+0x3ef9 @ 0x74193ef9
RtlQueryEnvironmentVariable+0x241 RtlQueryEnvironmentVariable_U-0x23 ntdll+0x39930 @ 0x76f49930
LdrShutdownProcess+0x141 RtlDetectHeapLeaks-0x111 ntdll+0x58fba @ 0x76f68fba
RtlExitUserProcess+0x74 LdrShutdownProcess-0x1d ntdll+0x58e5c @ 0x76f68e5c
ExitProcess+0x15 TerminateThread-0xa kernel32+0x17a25 @ 0x755c7a25
rundll32+0x135c @ 0xda135c
rundll32+0x1901 @ 0xda1901
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

exception.instruction_r: 8a 14 02 8b 45 0c 88 10 31 c0 eb 03 83 c8 ff 83
exception.symbol: MCOperand_CreateImm0+0x6e X86_getInstruction-0x52
exception.instruction: mov dl, byte ptr [edx + eax]
exception.module: monitor-x86.dll
exception.exception_code: 0xc0000006
exception.offset: 201535
exception.address: 0x7370133f
registers.esp: 1956168
registers.edi: 0
registers.eax: 0
registers.ebp: 1956192
registers.edx: 1948191085
registers.ebx: 0
registers.esi: 1948191085
registers.ecx: 0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00008e00', u'virtual_address': u'0x00011000', u'entropy': 7.882972855148966, u'name': u'UPX1', u'virtual_size': u'0x00009000'}

entropy

7.88297285515

description

A section with a high entropy has been found

entropy

0.959459459459

description

Overall entropy of this PE file is high

The executable is compressed using UPX (2 events)

section	UPX0				description	Section name indicates UPX
section	UPX1				description	Section name indicates UPX

File has been identified by 44 AntiVirus engines on VirusTotal as malicious (44 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.ProxyChanger.4!c
MicroWorld-eScan	Gen:Variant.Ursu.881037
FireEye	Gen:Variant.Ursu.881037
Skyhigh	Artemis!Trojan
ALYac	Gen:Variant.Ursu.881037
Cylance	unsafe
CrowdStrike	win/malicious_confidence_100% (W)
K7GW	Proxy-Program ( 005abcaa1 )
K7AntiVirus	Proxy-Program ( 005abcaa1 )
Arcabit	Trojan.Ursu.DD718D
Symantec	Trojan.Gen.MBT
Elastic	malicious (moderate confidence)
ESET-NOD32	a variant of Win32/ProxyChanger.XV
Cynet	Malicious (score: 99)
APEX	Malicious
Kaspersky	Trojan.Win32.ProxyChanger.blr
BitDefender	Gen:Variant.Ursu.881037
NANO-Antivirus	Trojan.Win32.ProxyChanger.kcfueu
Avast	Win32:TrojanX-gen [Trj]
Tencent	Win32.Trojan.Proxychanger.Cwnw
Sophos	Mal/Generic-S
F-Secure	Trojan.TR/ProxyChange.vhsxg
DrWeb	Trojan.ProxyChanger.4
VIPRE	Gen:Variant.Ursu.881037
Emsisoft	Gen:Variant.Ursu.881037 (B)
Ikarus	Trojan.Win32.ProxyChanger
Webroot	W32.Trojan.Gen
Varist	W32/ABProxy.ZQKO-2860
Avira	TR/ProxyChange.vhsxg
Antiy-AVL	Trojan/Win32.ProxyChanger
Microsoft	Trojan:Win32/Malgent!MSR
ZoneAlarm	Trojan.Win32.ProxyChanger.blr
GData	Gen:Variant.Ursu.881037
Google	Detected
AhnLab-V3	Trojan/Win.Generic.C5496005
McAfee	Artemis!9727340E3615
MAX	malware (ai score=89)
Malwarebytes	Trojan.ProxyChanger
TrendMicro-HouseCall	TROJ_GEN.R002H0CJC23
Rising	Trojan.ProxyChanger!8.83 (TFE:5:pb8GMVSJ4OT)
MaxSecure	Trojan.Malware.218946355.susgen
AVG	Win32:TrojanX-gen [Trj]
DeepInstinct	MALICIOUS

rc2.jpg

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All