popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

0311.dll

Malicious Library UPX PE64 PE File dll DLL DllRegisterServer
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 Nov. 12, 2023, 6:46 p.m. Nov. 12, 2023, 6:48 p.m.
Size 1.1MB
Type PE32+ executable (DLL) (GUI) x86-64, for MS Windows
MD5 28ade89b1d09d13581d3abe00d7658fb
SHA256 ebe0924eedb62bb4bb919b354cb4566251f48effe00856916db08709ba1a4693
CRC32 860212AB
ssdeep 12288:lhg+AQfRmvXymsrfj0MIE7roWEl62ZRp39IQzwQYtefhL34tA/co44ez/jmZ80:l2+Aij0Mn7rNEVZZwZel3Udo44ez/qB
Yara
  • Malicious_Library_Zero - Malicious_Library
  • PE_Header_Zero - PE File Signature
  • IsDLL - (no description)
  • IsPE64 - (no description)
  • UPX_Zero - UPX packed file
  • DllRegisterServer_Zero - execute regsvr32.exe

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
Time & API Arguments Status Return Repeated

__exception__

 stacktrace: 
RtlCaptureContext+0x85 RtlRestoreContext-0xaa ntdll+0x50895 @ 0x76d80895
stacktrace+0x84 memdup-0x1af @ 0x73980470
hook_in_monitor+0x45 lde-0x133 @ 0x739742ea
New_ntdll_NtAllocateVirtualMemory+0x34 New_ntdll_NtClose-0x162 @ 0x7398fc86
RtlSubAuthorityCountSid+0x9d7 RtlCompareUnicodeStrings-0x7a9 ntdll+0x31b07 @ 0x76d61b07
RtlSubAuthorityCountSid+0xcc8 RtlCompareUnicodeStrings-0x4b8 ntdll+0x31df8 @ 0x76d61df8
RtlSubAuthorityCountSid+0xb50 RtlCompareUnicodeStrings-0x630 ntdll+0x31c80 @ 0x76d61c80
RtlAllocateHeap+0x178 AlpcGetMessageAttribute-0x14e8 ntdll+0x53518 @ 0x76d83518
0x1ebca8f
0x3
0x3
0x3
0x3
0x3
0x3
0x3
0x3
0x3
0x3
0x3
0x3
0x3
0x3
0x3
0x3
0x3
0x3
0x3
0x3
0x3
0x3
0x3
0x3
0x3
0x3
0x3
0x3
0x3
0x3
0x3
0x3
0x3
0x3
0x3
0x3
0x3
0x3
0x3
0x3
0x3
0x3
0x3
0x3
0x3
0x3
0x3
0x3
0x3
0x3
0x3
0x3
0x3
0x3
0x3

exception.instruction_r: 0f ae 81 00 01 00 00 0f 29 81 a0 01 00 00 0f 29
exception.symbol: RtlCaptureContext+0x85 RtlRestoreContext-0xaa ntdll+0x50895
exception.address: 0x76d80895
exception.module: ntdll.dll
exception.exception_code: 0xc0000005
exception.offset: 329877
registers.r14: 8791598432256
registers.r15: 0
registers.rcx: 1365192
registers.rsi: 31982046
registers.r10: 3338192
registers.rbx: 244752
registers.rsp: 1369216
registers.r11: 0
registers.r8: 64
registers.r9: 1367520
registers.rdx: 1366536
registers.r12: 253952
registers.rbp: 1369616
registers.rdi: 4294964197
registers.rax: 1364872
registers.r13: 8791598432256
1 0 0

__exception__

 stacktrace: 
RtlRaiseStatus+0x18 RtlInitializeContext-0x78 ntdll+0xcd7d8 @ 0x76dfd7d8
RtlIsDosDeviceName_U+0x15adc NtdllDialogWndProc_A-0x18c90 ntdll+0x6f55c @ 0x76d9f55c
VerSetConditionMask+0x7f4 DbgPrint-0xcc ntdll+0x157c4 @ 0x76d457c4
RtlDecodePointer+0xbd NtdllDefWindowProc_W-0x139f ntdll+0x29d0d @ 0x76d59d0d
RtlUnwindEx+0xbbf RtlRaiseException-0x3b1 ntdll+0x191af @ 0x76d491af
New_ntdll_RtlDispatchException+0x154 New_ntdll_RtlRemoveVectoredContinueHandler-0x33 @ 0x73996df1
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76d81278
RtlCaptureContext+0x85 RtlRestoreContext-0xaa ntdll+0x50895 @ 0x76d80895
stacktrace+0x84 memdup-0x1af @ 0x73980470
0x1
0x1
0x1
0x1
0x1
0x1
0x1
0x1
0x1
0x1
0x1
0x1
0x1
0x1
0x1
0x1
0x1
0x1
0x1
0x1
0x1
0x1
0x1
0x1
0x1
0x1
0x1
0x1
0x1
0x1
0x1
0x1
0x1
0x1
0x1
0x1
0x1
0x1
0x1
0x1
0x1
0x1
0x1
0x1
0x1
0x1
0x1
0x1
0x1
0x1
0x1
0x1
0x1
0x1
0x1

exception.instruction_r: 48 8b 84 24 b8 01 00 00 33 d2 48 89 54 24 28 89
exception.symbol: RtlRaiseStatus+0x18 RtlInitializeContext-0x78 ntdll+0xcd7d8
exception.instruction: mov rax, qword ptr [rsp + 0x1b8]
exception.module: ntdll.dll
exception.exception_code: 0xc0000028
exception.offset: 841688
exception.address: 0x76dfd7d8
registers.r14: 8791598432256
registers.r15: 0
registers.rcx: 1357536
registers.rsi: 31982046
registers.r10: 0
registers.rbx: 244752
registers.rsp: 1371120
registers.r11: 1359424
registers.r8: 0
registers.r9: 1939275776
registers.rdx: 1939998976
registers.r12: 253952
registers.rbp: 1939732340
registers.rdi: 4294964197
registers.rax: 8
registers.r13: 8791598432256
1 0 0
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2596
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef4204000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2596
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fefeffd000
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2596
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000004d0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2596
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000000007304a000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2596
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000072ffd000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2596
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000000007304c000
process_handle: 0xffffffffffffffff
1 0 0
section {u'size_of_data': u'0x0003f800', u'virtual_address': u'0x000de000', u'entropy': 7.940594586242795, u'name': u'.data', u'virtual_size': u'0x00040cb8'} entropy 7.94059458624 description A section with a high entropy has been found
entropy 0.220294882914 description Overall entropy of this PE file is high