Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Nov. 2, 2023, 7:44 a.m.	Nov. 2, 2023, 7:48 a.m.

Size	411.2KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5	`4cb44bd5d786a7f2b53fd6d9602a2b8c`
SHA256	`46b721c436cd339be63937ca6b9912831af85f8fca25d0e752e900683f073a05`
CRC32	`5493C591`
ssdeep	`12288:urCFFvOtnYsaGQY4HFCaCCQ49nya09R/3W:UCmtnq9CaCSyI`
Yara	Malicious_Library_Zero - Malicious_Library UPX_Zero - UPX packed file PE_Header_Zero - PE File Signature NSIS_Installer - Null Soft Installer IsPE32 - (no description)

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

No Suricata Alerts

No Suricata TLS

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Nov. 2, 2023, 7:44 a.m.		1	1	0

section

.ndata

Time & API	Arguments	Status	Return	Repeated
__exception__ Nov. 2, 2023, 7:44 a.m.	stacktrace: RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0xffd5f0e0 registers.esp: 4586512 registers.edi: 0 registers.eax: 1968976824 registers.ebp: 4586520 registers.edx: 4292210912 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0	1	0	0

Time & API	Arguments	Status
NtProtectVirtualMemory Nov. 2, 2023, 7:44 a.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73272000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 2, 2023, 7:44 a.m.	process_identifier: 2668 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00340000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 2, 2023, 7:44 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00360000 allocation_type: 12289 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1

file	C:\Users\test22\AppData\Local\Temp\somtjfg.exe

file	C:\Users\test22\AppData\Local\Temp\somtjfg.exe

file	C:\Users\test22\AppData\Local\Temp\somtjfg.exe

section

{u'size_of_data': u'0x0000d000', u'virtual_address': u'0x00037000', u'entropy': 6.895564080355565, u'name': u'.rsrc', u'virtual_size': u'0x0000ced8'}

entropy

6.89556408036

description

A section with a high entropy has been found

entropy

0.630303030303

description

Overall entropy of this PE file is high

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2668 called NtSetContextThread to modify thread in remote process 2732
NtSetContextThread Nov. 2, 2023, 7:44 a.m.	registers.eip: 1995571652 registers.esp: 4586612 registers.edi: 0 registers.eax: 782560 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000000d0 process_identifier: 2732	1	0	0

strakonaj2.1.exe